{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27102", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-18T16:44:48.765Z", "datePublished": "2025-03-17T13:11:53.696Z", "dateUpdated": "2025-03-17T13:31:23.176Z"}, "containers": {"cna": {"title": "Agate vulnerable to HTML injection in user signup - Administrator phishing risk", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v"}, {"name": "https://github.com/obiba/agate/releases/tag/3.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/obiba/agate/releases/tag/3.3.0"}], "affected": [{"vendor": "obiba", "product": "agate", "versions": [{"version": "< 3.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-17T13:11:53.696Z"}, "descriptions": [{"lang": "en", "value": "Agate is central authentication server software for OBiBa epidemiology applications. Prior to version 3.3.0, when registering for an Agate account, arbitrary HTML code can be injected into a user's first and last name. This HTML is then rendered in the email sent to administrative users. The Agate service account sends this email and appears trustworthy, making this a significant risk for phishing attacks. Administrative users are impacted, as they can be targeted by unauthenticated users. Version 3.3.0 fixes the issue."}], "source": {"advisory": "GHSA-v3wj-7vj5-xj5v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-17T13:30:15.521823Z", "id": "CVE-2025-27102", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T13:31:23.176Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27102", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-17T13:30:15.521823Z"}}}], "references": [{"url": "https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-17T13:30:06.392Z"}}], "cna": {"title": "Agate vulnerable to HTML injection in user signup - Administrator phishing risk", "source": {"advisory": "GHSA-v3wj-7vj5-xj5v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "obiba", "product": "agate", "versions": [{"status": "affected", "version": "< 3.3.0"}]}], "references": [{"url": "https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v", "name": "https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/obiba/agate/releases/tag/3.3.0", "name": "https://github.com/obiba/agate/releases/tag/3.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Agate is central authentication server software for OBiBa epidemiology applications. Prior to version 3.3.0, when registering for an Agate account, arbitrary HTML code can be injected into a user's first and last name. This HTML is then rendered in the email sent to administrative users. The Agate service account sends this email and appears trustworthy, making this a significant risk for phishing attacks. Administrative users are impacted, as they can be targeted by unauthenticated users. Version 3.3.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-03-17T13:11:53.696Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27102", "state": "PUBLISHED", "dateUpdated": "2025-03-17T13:31:23.176Z", "dateReserved": "2025-02-18T16:44:48.765Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-03-17T13:11:53.696Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Agate is central authentication server software for OBiBa epidemiology applications. Prior to version 3.3.0, when registering for an Agate account, arbitrary HTML code can be injected into a user's first and last name. This HTML is then rendered in the email sent to administrative users. The Agate service account sends this email and appears trustworthy, making this a significant risk for phishing attacks. Administrative users are impacted, as they can be targeted by unauthenticated users. Version 3.3.0 fixes the issue."}, {"lang": "es", "value": "Agate es un software de servidor de autenticaci\u00f3n central para las aplicaciones de epidemiolog\u00eda de OBiBa. Antes de la versi\u00f3n 3.3.0, al registrar una cuenta de Agate, se pod\u00eda inyectar c\u00f3digo HTML arbitrario en el nombre y apellidos del usuario. Este HTML se mostraba en el correo electr\u00f3nico enviado a los usuarios administrativos. La cuenta de servicio de Agate env\u00eda este correo electr\u00f3nico y parece confiable, lo que supone un riesgo significativo de ataques de phishing. Los usuarios administrativos se ven afectados, ya que pueden ser atacados por usuarios no autenticados. La versi\u00f3n 3.3.0 soluciona este problema."}], "id": "CVE-2025-27102", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-03-17T14:15:21.867", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/obiba/agate/releases/tag/3.3.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}