CVE-2025-27102 MEDIUM

CVE-2025-27102: Agate vulnerable to HTML injection in user signup - Administrator phishing risk

Vendor Obiba

Product agate

Weakness CWE-79 · XSS

Published March 17, 2025

Last update March 17, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P

What the vulnerability does

01Description

Agate is central authentication server software for OBiBa epidemiology applications. Prior to version 3.3.0, when registering for an Agate account, arbitrary HTML code can be injected into a user's first and last name. This HTML is then rendered in the email sent to administrative users. The Agate service account sends this email and appears trustworthy, making this a significant risk for phishing attacks. Administrative users are impacted, as they can be targeted by unauthenticated users. Version 3.3.0 fixes the issue.

Key dates

02Disclosure timeline

March 17, 2025 CVE published

March 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-27102

Related vulnerabilities

CVE-2025-27102: Agate vulnerable to HTML injection in user signup - Administrator phishing risk

01Description

02Disclosure timeline

03References

04Related CVE