CVE-2025-22249
published 2025-05-13CVE-2025-22249: VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a…
high8.2CVSS 3.1
AVNACLPRNUIRSCCHILAN
VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | aria_automation | — | — |
| vmware | aria_automation | — | — |
| vmware | cloud_foundation | 4.0 – 5.2.1 | — |
| vmware | telco_cloud_platform | 5.0 – 5.0.1 | — |
| vmware | vmware_aria_automation | >= 8.18.x < 8.18.1 patch2 | 8.18.1 patch2 |
| vmware | vmware_cloud_foundation | >= 4.x < 8.18.1 patch 2 | 8.18.1 patch 2 |
| vmware | vmware_cloud_foundation | >= 5.x < 8.18.1 patch 2 | 8.18.1 patch 2 |
| vmware | vmware_telco_cloud_platform | >= 5.x < 8.18.1 patch 2 | 8.18.1 patch 2 |