SailPoint IdentityIQ Incorrect Content Type Cross-Site Scripting Vulnerability – CVE-2025-10280

Description

IdentityIQ 8.5, IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4, IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p6, and all prior versions allow some IdentityIQ web services that provide non-HTML content to be accessed via a URL path that will set the Content-Type to HTML allowing a requesting browser to interpret content not properly escaped to prevent Cross-Site Scripting (XSS).

Affected product and versions

IdentityIQ 8.5
IdentityIQ 8.4 and all 8.4 patch levels prior to 8.4p4
IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p6
All previous versions of IdentityIQ

Resolution

SailPoint has released IIQSR-940 for each impacted and supported version of IdentityIQ. Future patch levels will include the fixes once they become available.

CVE details

CVE ID: CVE-2025-10280
Published Date: 11/3/2025
Vulnerability Type: IdentityIQ Incorrect Content Type Cross-Site Scripting Vulnerability
CWE: CWE-79
CVSS v3 Score: 7.1
CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

References

IdentityIQ Incorrect Content Type Cross-Site Scripting Vulnerability – IIQSR-940