CVE-2025-0281
CVSS 3.1 Score 5.4 of 10 (medium)
Details
Published Mar 20, 2025
Updated: Mar 28, 2025
CWE ID 79
Summary
CVE-2025-0281 is a stored cross-site scripting (XSS) vulnerability impacting lunary-ai's Lunary product in versions 1.6.7 and earlier. Malicious JavaScript can be injected into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is set as `window.location.href` without proper validation or sanitization, enabling attackers to execute arbitrary JavaScript in users' browsers. Potential consequences include session hijacking, data theft, and other malicious actions. The issue is resolved in version 1.7.10.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Vendors
- Lunary