CVE-2025-22249

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

8.2HIGH

EPSS

0.2%

top 59.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vmware Aria Automation Vmware Vmware Cloud Foundation Vmware Vmware Telco Cloud Platform +3 more

Timeline

PublishedMay 13

Description

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.7

Affected Packages6 packages

▶CVEListV5vmware/vmware_aria_automation8.18.x — 8.18.1 patch2

▶NVDvmware/aria_automation8.18.0, 8.18.1+1

▶CVEListV5vmware/vmware_cloud_foundation5.x — 8.18.1 patch 2+1

▶CVEListV5vmware/vmware_telco_cloud_platform5.x — 8.18.1 patch 2

▶NVDvmware/cloud_foundation4.0 — 5.2.1

Patches

Patch: support.broadcom.com ↗

🔴Vulnerability Details

GHSA

GHSA-2r69-79fj-p7wm: VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability↗2025-05-13

▶

CVEList

VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)↗2025-05-13

▶