CVE-2025-46545

April 25, 2025, 3:15 a.m.

4.4
Medium

Description

In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.

Product(s) Impacted

Vendor Product Versions
Sherpa
  • Sherpa Orchestrator
  • 141851

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a sherpa sherpa_orchestrator 141851 / / / / / / /

References

https://deiteriy.com
https://gist.github.com/ArtemBrylev/5a0c76285d5fa9daf4ec753034185de7
https://sherparpa.com
https://twitter.com/ArtyomBrylev

Tags

cve@mitre.org
CWE-79
2025-04-25
CVE-2025-46545

CVSS Score

4.4 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: HIGH
  • Scope: CHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

    View Vector String

Timeline

Published: April 25, 2025, 3:15 a.m.
Last Modified: April 25, 2025, 3:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.