CVE-2025-22270

Name of the Vulnerable Software and Affected Versions CyberArk Endpoint Privilege Manager in SaaS version 24.7.1

Description The issue allows an attacker with access to the Administration panel, specifically the "Role Management" tab, to inject code by adding a new role in the name field. However, the risk of exploiting this issue is reduced due to the required additional error that allows bypassing the Content-Security-Policy policy, which mitigates JS code execution while still allowing HTML injection.

Recommendations For version 24.7.1, consider restricting access to the "Role Management" tab in the Administration panel to minimize the risk of exploitation. As a temporary workaround, avoid using the name field in the "Role Management" tab until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.