CVE-2025-40904

Vulnerability

A stored HTML injection vulnerability exists in the Smart Polling functionality of Guardian and CMC versions prior to 26.1.0 [1]. The vulnerability arises from improper validation of an input parameter, allowing an authenticated user with limited privileges to inject arbitrary HTML tags into remote strategies that are synchronized via the sync mechanism [1].

Exploitation

An attacker must have authenticated access with limited privileges to push remote strategies [1]. The attacker crafts a remote strategy containing malicious HTML tags and pushes it through the sync process [1]. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML is rendered in their browser [1]. No additional user interaction beyond viewing the strategy is required.

Impact

The injected HTML renders in the victim's browser, enabling phishing attacks and potentially open redirect attacks [1]. However, full cross-site scripting (XSS) exploitation and direct information disclosure are prevented by existing input validation and the Content Security Policy (CSP) configuration [1]. The impact is limited to HTML injection, which can be used for social engineering.

Mitigation

The vulnerability is fixed in version 26.1.0 of Guardian and CMC [1]. As a workaround, administrators should review all enabled sensors and disallow or delete untrusted ones [1]. Users are advised to upgrade to version 26.1.0 or later [1].