CVE-2025-8386 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Application Server

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.0%
top 97.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Aveva Application Server
Timeline
PublishedNov 15

Description

The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privileges. The vulnerability can only be exploited during config-time operations within the IDE component of Application Server. Run-time components and operations are not affected.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H

Affected Packages1 packages

â–¶CVEListV5aveva/application_serverVersions 2023 R2 SP1 P02

🔴Vulnerability Details

2
GHSA
GHSA-jj42-75hx-q362: The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and↗2025-11-15
â–¶
CVEList
AVEVA Application Server IDE Basic Cross-site Scripting↗2025-11-14
â–¶
CVE-2025-8386 — Aveva Application Server vulnerability | cvebase