
CVE-2025-5412 – Mist Community Edition Authentication Endpoint views.py login cross site scripting
https://notcve.org/view.php?id=CVE-2025-5412
01 Jun 2025 — A vulnerability classified as problematic has been found in Mist Community Edition up to 4.7.1. Affected is the function Login of the file src/mist/api/views.py of the component Authentication Endpoint. The manipulation of the argument return_to leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Stolichnayer/mist-ce-open-redirect • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-5411 – Mist Community Edition views.py tag_resources cross site scripting
https://notcve.org/view.php?id=CVE-2025-5411
01 Jun 2025 — A vulnerability was found in Mist Community Edition up to 4.7.1. It has been rated as problematic. This issue affects the function tag_resources of the file src/mist/api/tag/views.py. The manipulation of the argument tag leads to cross site scripting. The attack may be initiated remotely. • https://github.com/Stolichnayer/mist-ce-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-5410 – Mist Community Edition middleware.py session_start_response cross-site request forgery
https://notcve.org/view.php?id=CVE-2025-5410
01 Jun 2025 — A vulnerability was found in Mist Community Edition up to 4.7.1. It has been declared as problematic. This vulnerability affects the function session_start_response of the file src/mist/api/auth/middleware.py. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. • https://github.com/Stolichnayer/mist-ce-csrf • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •

CVE-2025-5409 – Mist Community Edition API Token views.py create_token access control
https://notcve.org/view.php?id=CVE-2025-5409
01 Jun 2025 — A vulnerability was found in Mist Community Edition up to 4.7.1. It has been classified as critical. This affects the function create_token of the file src/mist/api/auth/views.py of the component API Token Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. • https://github.com/Stolichnayer/mist-ce-account-takeover • CWE-266: Incorrect Privilege Assignment CWE-284: Improper Access Control •