CVE-2025-10280 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting SailPoint Technologies' IdentityIQ versions 8.3, 8.4, and 8.5, including patch levels prior to 8.4p4 and 8.3p6. The vulnerability stems from the way certain IdentityIQ web services handle content types. These services provide non-HTML content but can be accessed through URL paths that force the Content-Type header to be set to 'text/html'. This causes browsers to interpret the response as HTML, even though the content is not properly escaped or sanitized. As a result, malicious actors can inject and execute arbitrary JavaScript code in the context of the victim's browser session. The vulnerability requires low privileges (PR:L) and some user interaction (UI:R), with a high attack complexity (AC:H), indicating that exploitation is feasible but may require specific conditions or crafted requests. The impact is severe, affecting confidentiality, integrity, and availability (all rated high), as attackers could steal sensitive data, manipulate identity management workflows, or disrupt services. No public exploits have been observed yet, but the vulnerability is publicly disclosed and rated with a CVSS 3.1 score of 7.1. IdentityIQ is widely used for identity governance and administration, making this vulnerability significant for organizations relying on it for access control and compliance.

For European organizations, the impact of CVE-2025-10280 can be substantial. IdentityIQ is a critical component in managing user identities, access rights, and compliance with regulations such as GDPR. Successful exploitation could allow attackers to execute malicious scripts within the context of authenticated users, potentially leading to theft of credentials, unauthorized access to sensitive systems, and manipulation of identity data. This could result in data breaches, regulatory fines, and operational disruptions. Given the high confidentiality, integrity, and availability impacts, organizations in finance, healthcare, government, and critical infrastructure sectors are particularly vulnerable. The vulnerability also poses risks to supply chain security if IdentityIQ is used to manage third-party access. The absence of known exploits in the wild provides a window for proactive mitigation, but the public disclosure increases the risk of future exploitation attempts.

1. Apply official patches or updates from SailPoint as soon as they become available, specifically versions 8.4p4, 8.3p6, or later that address this vulnerability. 2. Until patches are applied, restrict access to vulnerable IdentityIQ web services by implementing network-level controls such as IP whitelisting or VPN-only access. 3. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable endpoints. 4. Enforce strict Content Security Policies (CSP) to limit the execution of unauthorized scripts in browsers interacting with IdentityIQ. 5. Conduct thorough input validation and output encoding on all user-controllable inputs in IdentityIQ configurations and customizations. 6. Monitor logs and user activity for signs of exploitation attempts, including unusual URL requests or script execution behaviors. 7. Educate users about phishing and social engineering risks that could facilitate exploitation requiring user interaction. 8. Review and minimize privileges for users accessing IdentityIQ to reduce the impact of potential exploitation.