CVE-2025-10280
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks in SailPoint IdentityIQ when web services return non-HTML content with an incorrect HTML Content-Type header. Attackers can inject malicious scripts that execute in users' browsers when they access manipulated URLs. Affected users include organizations running vulnerable versions of IdentityIQ 8.5, 8.4, 8.3, and all prior versions.
💻 Affected Systems
- SailPoint IdentityIQ
📦 What is this software?
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
Identityiq by Sailpoint
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, perform actions on behalf of authenticated users, or deploy malware through the IdentityIQ interface.
Likely Case
Attackers could steal session cookies or credentials from authenticated users, potentially gaining unauthorized access to identity management functions.
If Mitigated
With proper input validation and output encoding controls, the risk is reduced to minimal, though the vulnerability still exists at the application layer.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) and typically targets authenticated users. The vulnerability is in the Content-Type header misconfiguration combined with insufficient output encoding.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IdentityIQ 8.4p4 and later for 8.4, IdentityIQ 8.5 with latest patches, and upgrade to supported versions for older releases
Vendor Advisory: https://www.sailpoint.com/security-advisories/sailpoint-identityiq-incorrect-content-type-cross-site-scripting-vulnerability-cve-2025-10280
Restart Required: Yes
Instructions:
1. Review the SailPoint security advisory. 2. Apply the latest patches for your IdentityIQ version. 3. Restart IdentityIQ services. 4. Verify the fix by testing affected endpoints.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block requests with suspicious Content-Type manipulation or XSS payloads in URLs.
Content Security Policy (CSP)
allImplement strict CSP headers to mitigate the impact of successful XSS attacks.
🧯 If You Can't Patch
- Implement network segmentation to restrict access to IdentityIQ interfaces
- Enable strict input validation and output encoding at the application layer
🔍 How to Verify
Check if Vulnerable:
Test IdentityIQ web services endpoints that return non-HTML content and check if Content-Type headers are incorrectly set to text/html.Check Version:
Check IdentityIQ version through the administrative interface or application logs.Verify Fix Applied:
After patching, retest affected endpoints to confirm Content-Type headers are correctly set and XSS payloads are properly escaped.📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns with script tags or encoded payloads
- Multiple failed requests to web services endpoints
Network Indicators:
- HTTP requests with suspicious parameters in URLs targeting IdentityIQ web services
SIEM Query:
source="identityiq" AND (url="*<script>*" OR url="*javascript:*" OR status=400 OR status=500)