PT-2025-17871 · Unknown · Sherpa Orchestrator
Artem Brylev
+1
·
Published
2025-04-25
·
Updated
2025-04-25
·
CVE-2025-46545
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Sherpa Orchestrator version 141851
Description
The issue allows for stored XSS attacks by an administrator through the
name parameter when adding or updating licenses. The XSS payload can execute when the license expires.Recommendations
For Sherpa Orchestrator version 141851, avoid using the
name parameter in the license addition or update functionality until a fix is available. As a temporary workaround, consider restricting access to the license management feature to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sherpa Orchestrator