NN-2025:12-01

HTML injection in in Time Machine functionality in Guardian/CMC before 25.5.0

Last update: 2025-12-18
CSAF

Advisory IDNN-2025:12-01
TopicHTML injection in in Time Machine functionality in Guardian/CMC before 25.5.0
CWE ImpactCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Issue date2025-12-18
AffectsGuardian, CMC < v25.5.0
CVE Name(s)CVE-2025-40891
CVSS DetailsCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score2.3 (CVSS v4.0)
4.7 (CVSS v3.1)
CVE Risk LevelLow (CVSS v4.0)
Medium (CVSS v3.1)
Risk Level for Nozomi customersLow

Summary

A Stored HTML Injection vulnerability was discovered in the Time Machine Snapshot Diff functionality due to improper validation of network traffic data.

Impact

An unauthenticated attacker can send specially crafted network packets at two different times to inject HTML tags into asset attributes across two snapshots. Exploitation requires a victim to use the Time Machine Snapshot Diff feature on those specific snapshots and perform specific GUI actions, at which point the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is prevented by input validation and Content Security Policy. Attack complexity is high due to multiple required conditions.

Affected Products

Guardian, CMC < v25.5.0

Workarounds and Mitigations

N/A

Solutions

Upgrade to v25.5.0 or later.

Modification History

2025-12-18: Initial revision

Related Links

Acknowledgements

We thank the following parties for their efforts:

  • Stefano Libero, Andrea Palanca of Nozomi Networks Product Security team for finding this issue during an internal investigation

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.