CVE-2025-27930

Stored XSS in Debug-Info HTML files generated by the File / Directory Monitor.

Vulnerability Details
Severity	Medium
CVE ID	CVE-2025-27930
Affected software versions	Version 176600 and below
Fixed Version	Version 176700 and above
Fixed On	7 July 2025

Details

For customers using the File/Directory monitor with content check enabled, a stored XSS vulnerability may arise from the Debug-Info HTML files generated during monitoring. These HTML files are generated from the monitored file's content.

Impact

The malicious content within the monitored file, if viewed through the debug HTML file link from browser, can manipulate the victim's browser to execute malicious JavaScript. As a result, an attacker may exploit this vulnerability to carry out actions within the scope of an administrator user of Applications Manager.

Fix

Applications Manager version 176700 (refer above for other fixed versions) and above fixes this issue by implementing proper encoding.

Steps to update

Update your Applications Manager instance to the latest build using the service pack.

Source and Acknowledgements

Find out more about CVE-2025-27930 from the CVE Directory and NIST NVD.

Reported by:

Ngockhanhc311 from FPT NightWolf

Need Help?

For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com

Loved by customers all over the world

"Standout Tool With Extensive Monitoring Capabilities"

★ ★ ★ ★ ★

It allows us to track crucial metrics such as response times, resource utilization, error rates, and transaction performance. The real-time monitoring alerts promptly notify us of any issues or anomalies, enabling us to take immediate action.

Reviewer Role: Research and Development

"I like Applications Manager because it helps us to detect issues present in our servers and SQL databases."

Carlos Rivero

Tech Support Manager, Lexmark