CVE-2025-59900

Name of the Vulnerable Software and Affected Versions Sync Breeze Enterprise Server version 10.4.18 Disk Pulse Enterprise version 10.4.18

Description Sync Breeze Enterprise Server and Disk Pulse Enterprise are affected by a persistent authenticated Cross-Site Scripting (XSS) issue. An attacker can potentially send malicious content to an authenticated user, potentially gaining access to their session data. This is due to inadequate validation of user input. The vulnerability is present in the following API endpoint and parameters: '/server options?sid=', with vulnerable parameters including tasks logs dir, errors logs dir, error notifications address, status notifications address, and status reports address.

Recommendations Update Sync Breeze Enterprise to a newer version that contains a fix for this vulnerability. Update Disk Pulse Enterprise to a newer version that contains a fix for this vulnerability.