CVE-2025-8386
published 2025-11-15CVE-2025-8386: The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist…
PriorityP426medium6.9CVSS 3.1
AVLACLPRHUIRSCCHILAL
EPSS
0.14%
3.3th percentile
The vulnerability, if exploited, could allow an authenticated miscreant
(with privilege of "aaConfigTools") to tamper with App Objects' help
files and persist a cross-site scripting (XSS) injection that when
executed by a victim user, can result in horizontal or vertical
escalation of privileges. The vulnerability can only be exploited during
config-time operations within the IDE component of Application Server.
Run-time components and operations are not affected.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aveva | application_server | <= Versions 2023 R2 SP1 P02 | — |
CVSS provenance
nvdv3.16.9MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L
nvdv4.07.2HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jj42-75hx-q362: The vulnerability, if exploited, could allow an authenticated miscreant
(with privilege of "aaConfigTools") to tamper with App Objects' help
files and
ghsa_unreviewed·2025-11-15
CVE-2025-8386 [HIGH] CWE-80 GHSA-jj42-75hx-q362: The vulnerability, if exploited, could allow an authenticated miscreant
(with privilege of "aaConfigTools") to tamper with App Objects' help
files and
The vulnerability, if exploited, could allow an authenticated miscreant
(with privilege of "aaConfigTools") to tamper with App Objects' help
files and persist a cross-site scripting (XSS) injection that when
executed by a victim user, can result in horizontal or vertical
escalation of privileges. The vulnerability can only be exploited during
config-time operations within the IDE component of Application Server.
Run-time components and operations are not affected.
CISA ICS
AVEVA Application Server IDE
cisa_ics·2025-11-13·CVSS 6.9
[MEDIUM] AVEVA Application Server IDE
ICS Advisory
##
AVEVA Application Server IDE
Release DateNovember 13, 2025
Alert CodeICSA-25-317-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 7.2
- ATTENTION: Low attack complexity
- Vendor: AVEVA
- Equipment: Application Server IDE
- Vulnerability: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to tamper with help files and inject cross-site scripting (XSS) code.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of AVEVA Application Server are affected:
- Application Server: Versions 2023 R2 SP1 P02 and prior
## 3.2 VU
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-15
Published