This vulnerability is a stored cross-site scripting (CWE-79) issue in Nozomi Networks Guardian's Assets and Nodes features. It arises from improper input validation of a parameter used in custom fields. An authenticated user with privileges to create custom fields can insert a JavaScript payload that executes in the browsers of users viewing these pages. This can lead to unauthorized actions performed with the victim's privileges, including data modification, service disruption, and exposure of sensitive information. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack vector required, privileges required, user interaction needed, and high impact on integrity and availability. No patch or official fix has been published by the vendor as of the data provided.

Successful exploitation allows an attacker with limited privileges to execute arbitrary JavaScript in the context of other users' browsers when they view the affected pages. This can result in unauthorized modification of application data, disruption of application availability, and access to sensitive information that should be restricted. The vulnerability impacts the integrity, availability, and confidentiality of the application environment. There are no known active exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, organizations should restrict custom fields privileges to trusted users only and consider limiting access to the Assets and Nodes pages to reduce exposure. Monitor vendor communications for updates on remediation. Avoid granting unnecessary privileges that allow creation or modification of custom fields until a fix is released.