CVE-2025-5411
Cross-site Scripting Vulnerability in Mist Community Edition
Overview
This issue affects the tag_resources function in Mist Community Edition up to version 4.7.1. The manipulation of the tag argument allows an attacker to use the cross-site scripting attack. It can be triggered remotely and has been publicly disclosed.
Technical Details
The vulnerability is located in the tag_resources function of the file src/mist/api/tag/views.py. It is caused due to improper sanitization of the 'tag' argument leading to an XSS attack. The exploit is publicly available.
CVSS Metrics
- Base Score: 5.1
- Base Severity: MEDIUM
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW
- User Interaction: PASSIVE
- Confidentiality Impact: NONE
- Integrity Impact: LOW
- Availability Impact: NONE
Impact
An attacker with low privileges can exploit this vulnerability by manipulating the "tag" argument leading to cross site scripting. The vulnerability may be used and could compromise the integrity of the affected system.
Recommendations
Upgrade to Mist Community Edition version 4.7.2, which addresses this issue. The patch named "db10ecb62ac832c1ed4924556d167efb9bc07fad" has been released to resolve this vulnerability.
Threat Metrics
- "cvss_score": 5.1
- "severity": "MEDIUM"
- "attack_vector": "NETWORK"
- "attack_complexity": "LOW"