CVE-2025-7380 in ADM
Summary
by MITRE • 07/14/2025
A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user's session, potentially accessing session cookies or other sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/14/2025
The stored cross-site scripting vulnerability identified as CVE-2025-7380 represents a critical security flaw within the access control mechanisms of ADM software versions ranging from 4.1.0 through 4.3.3.RH61 and including ADM 5.0.0.RIN1 and earlier releases. This vulnerability resides in the folder management functionality where users can create shared folders, creating a persistent threat vector that enables attackers to inject malicious scripts into the folder name field during creation. The flaw manifests when the system fails to properly sanitize user input, allowing crafted payloads to be stored within the application's database and subsequently executed whenever the folder name is rendered in the user interface. The vulnerability maps directly to CWE-79 which defines improper neutralization of input during web output, specifically within the context of stored XSS attacks where malicious code persists and executes in the victim's browser context.
The technical implementation of this vulnerability exploits the lack of input validation and output encoding mechanisms within the ADM application's folder naming functionality. When an attacker creates a shared folder with malicious script content in the folder name field, the system stores this input without adequate sanitization or encoding processes. The vulnerability operates through the typical stored XSS attack pattern where the malicious payload is first stored in the application's backend database and then retrieved and displayed to other users during normal application operations. This creates a persistent threat where any user viewing the affected folder names will have the malicious JavaScript executed within their browser session, potentially compromising their authentication context and access privileges.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to hijack user sessions and access sensitive data through the execution of JavaScript code in the context of other users' sessions. The stored nature of the vulnerability means that the malicious code will execute every time the affected folder names are displayed, creating a continuous threat vector that persists until the vulnerability is patched or the malicious content is manually removed from the system. Attackers can leverage this vulnerability to steal session cookies, perform actions on behalf of users, access restricted resources, or even escalate privileges within the ADM environment. This threat is particularly dangerous in shared or collaborative environments where multiple users interact with the same folder structures and view shared folder names.
Mitigation strategies for CVE-2025-7380 should focus on immediate input validation and output encoding implementations within the ADM application's folder management functionality. Organizations should implement comprehensive sanitization of all user inputs, particularly in fields where folder names and other user-generated content are stored and subsequently displayed. The solution should include proper HTML encoding of output when displaying folder names and other user content, ensuring that any potentially malicious scripts are rendered harmless. Additionally, implementing Content Security Policy headers and using secure coding practices that prevent XSS vulnerabilities through proper input validation and output encoding aligns with recommended security frameworks and addresses the underlying CWE-79 vulnerability. The most effective long-term solution involves patching affected ADM versions to include proper input sanitization mechanisms and ensuring that all user-generated content undergoes appropriate validation before storage and rendering within the application interface.