{"id":"CVE-2025-27102","summary":"Agate vulnerable to HTML injection in user signup - Administrator phishing risk","details":"Agate is central authentication server software for OBiBa epidemiology applications. Prior to version 3.3.0, when registering for an Agate account, arbitrary HTML code can be injected into a user's first and last name. This HTML is then rendered in the email sent to administrative users. The Agate service account sends this email and appears trustworthy, making this a significant risk for phishing attacks. Administrative users are impacted, as they can be targeted by unauthenticated users. Version 3.3.0 fixes the issue.","aliases":["GHSA-v3wj-7vj5-xj5v"],"modified":"2026-04-10T05:24:39.442129Z","published":"2025-03-17T13:11:53.696Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27102.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"https://github.com/obiba/agate/releases/tag/3.3.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27102.json"},{"type":"ADVISORY","url":"https://github.com/obiba/agate/security/advisories/GHSA-v3wj-7vj5-xj5v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27102"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/obiba/agate","events":[{"introduced":"0"},{"fixed":"a2b56e778c1ea6858c9f2b1fb0e766e1dfb7094e"}]}],"versions":["3.1.0","3.1.1","3.2.0","3.2.0-RC1","3.2.0-RC2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27102.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:P"}]}