CVE-2025-22274: HTML injection in CyberArk Endpoint Privilege Manager
First published: Fri Feb 28 2025(Updated: )
It is possible to inject HTML code into the page content using the "content" field in the "Application definition" page. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.
Credit: cvd@cert.pl
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CyberArk Endpoint Privilege Manager |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-22274?
CVE-2025-22274 is considered a critical vulnerability due to the potential for HTML injection, which can lead to security breaches.
How do I fix CVE-2025-22274?
To fix CVE-2025-22274, update CyberArk Endpoint Privilege Manager to version 24.7.2 or later where the injection issue is resolved.
What does CVE-2025-22274 affect?
CVE-2025-22274 affects the CyberArk Endpoint Privilege Manager SaaS version 24.7.1.
What are the risks associated with CVE-2025-22274?
The risks associated with CVE-2025-22274 include unauthorized access and manipulation of web page content which could compromise the application.
Is there a workaround for CVE-2025-22274?
Currently, the recommended approach for CVE-2025-22274 is to apply the latest updates, as no specific workaround is provided.
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/references
- agent/last-modified-date
- agent/title
- agent/author
- agent/source
- agent/weakness
- agent/severity
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- vendor/cyberark
- canonical/cyberark endpoint privilege manager