CVE-2025-10280

IdentityIQ
8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and
all 8.3 patch levels including 8.3p5, and all prior versions allows some
IdentityIQ web services that provide non-HTML content to be accessed via a URL
path that will set the Content-Type to HTML allowing a requesting browser to
interpret content not properly escaped to prevent Cross-Site Scripting (XSS).
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
SailPointCNA
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
VendorProductVersion
sailpointidentityiq
𝑥
< 8.3
sailpointidentityiq
8.3
sailpointidentityiq
8.3:patch1
sailpointidentityiq
8.3:patch2
sailpointidentityiq
8.3:patch4
sailpointidentityiq
8.3:patch5
sailpointidentityiq
8.4
sailpointidentityiq
8.4:patch1
sailpointidentityiq
8.4:patch2
sailpointidentityiq
8.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280