CVE-2025-10280 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 that impacts SailPoint Technologies IdentityIQ versions 8.3, 8.4 (including patch levels prior to 8.4p4), and 8.5. The vulnerability stems from certain IdentityIQ web services designed to deliver non-HTML content being accessible through URL paths that incorrectly set the HTTP Content-Type header to 'text/html'. This misconfiguration causes browsers to interpret the response as HTML, even though the content is not properly escaped or sanitized. As a result, malicious actors can craft URLs that inject executable scripts into the victim's browser context, leading to XSS attacks. The vulnerability requires network access (AV:N), has a high attack complexity (AC:H), requires low privileges (PR:L), and user interaction (UI:R). The scope is unchanged (S:U), but the impact is high across confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of IdentityIQ deployments, which manage identity governance and access management. The flaw can be exploited to steal session tokens, perform unauthorized actions, or pivot within the network by executing arbitrary scripts in the context of authenticated users. The vulnerability was publicly disclosed on November 3, 2025, and no official patches or mitigations were linked at the time of disclosure.

The impact of CVE-2025-10280 is substantial for organizations using affected versions of SailPoint IdentityIQ. IdentityIQ is a critical identity governance and administration platform widely used by enterprises and government agencies to manage user access and compliance. Successful exploitation of this XSS vulnerability can lead to theft of authentication tokens, session hijacking, unauthorized actions performed with the victim's privileges, and potential lateral movement within the network. This compromises confidentiality by exposing sensitive identity and access data, integrity by allowing unauthorized changes, and availability if attackers disrupt services or trigger denial-of-service conditions. Given the high privileges often associated with IdentityIQ users, the vulnerability could facilitate significant security breaches, including privilege escalation and data exfiltration. The requirement for user interaction and low privileges reduces the ease of exploitation but does not eliminate the risk, especially in environments with many users and complex workflows.

To mitigate CVE-2025-10280, organizations should first verify if they are running affected versions of SailPoint IdentityIQ (8.3, 8.4 prior to 8.4p4, or 8.5). Since no official patches were linked at disclosure, immediate steps include: 1) Restrict access to IdentityIQ web services that serve non-HTML content via URL filtering or web application firewall (WAF) rules to block suspicious or malformed requests that attempt to manipulate the Content-Type header. 2) Implement strict Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 3) Review and harden HTTP response headers to ensure Content-Type is correctly set and not overridden by user-controllable input. 4) Conduct thorough input validation and output encoding on all user-supplied data within IdentityIQ customizations or integrations. 5) Monitor logs for unusual URL access patterns or error messages indicative of attempted exploitation. 6) Engage with SailPoint support for any available patches or hotfixes and plan for timely upgrades to patched versions once released. 7) Educate users about phishing and suspicious links to reduce the risk of user interaction exploitation.