CVE-2025-5412
Cross Site Scripting vulnerability in Mist Community Edition up to 4.7.1
Overview
A cross site scripting vulnerability has been discovered in the Mist Community Edition software up to version 4.7.1, specifically affecting the Login function via the src/mist/api/views.py of the Authentication Endpoint component.
Technical Details
The vulnerability arises from unsafe handling of the argument 'return_to', and its manipulation can trigger a cross site scripting attack. It is remotely executable and the exploit has been publicly disclosed.
CVSS Metrics
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Attack Requirements: NONE
- Privileges Required: LOW
- User Interaction: PASSIVE
Impact
The attacker can affect data integrity on a LOW level. No impact is posed to confidentiality & availability of the system.
Recommendations
To protect the system against this vulnerability, upgrading the system to Mist Community Edition version 4.7.2 is recommended. The patch named db10ecb62ac832c1ed4924556d167efb9bc07fad fixes this issue.
Threat Metrics
- "cvss_score": 5.1
- "severity": "MEDIUM"
- "attack_vector": "NETWORK"
- "attack_complexity": "LOW"