CVE-2025-2124
Description
A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/customerdb/person.svc/change_password of the component API Handler. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Control iD RH iD 25.2.25.0's change_password API allows remote attackers to inject arbitrary web scripts via the message argument.
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Control iD RH iD version 25.2.25.0. The flaw resides in the /v2/customerdb/person.svc/change_password endpoint, which is part of the API Handler component. By manipulating the message argument, an attacker can inject arbitrary JavaScript code. [1] The vendor was contacted but did not respond, leaving the vulnerability unaddressed.
Exploitation
The attack can be launched remotely without authentication, as the endpoint is exposed. A user must be tricked into clicking a crafted link or visiting a page that triggers the API call with the malicious message value. Since the input is not properly sanitized, the injected script executes in the context of the victim's browser against the affected application.
Impact
Successful exploitation permits an attacker to execute arbitrary HTML and JavaScript in a victim's session. This can lead to session hijacking, defacement, or redirection to malicious sites. Given the published exploit code, the risk of real-world attacks is elevated for the product's user base. [1]
Mitigation
No official patch or vendor workaround has been released. Users should consider restricting access to the /v2/customerdb/person.svc/change_password endpoint via firewall rules or a web application firewall (WAF) until a fix is provided. The product may be end-of-life or unmaintained, as the vendor did not respond to disclosure. [1]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.