CVE-2025-22249

HIGH EPSS 23.4%
Published May 13, 20251y ago · Modified Jun 17, 20261w ago
8.2 CVSS 3.1
High
Find Similar
Published May 13, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.

CVSS Details

Base Score
8.2
Exploitability
2.8
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
23.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 5

VendorProductVersionRange
vmwarearia_automation8.18.0any
vmwarearia_automation8.18.1any
vmwarearia_automation8.18.1any
vmwarecloud_foundation*≥4.0  –  ≤5.2.1
vmwaretelco_cloud_platform*≥5.0  –  ≤5.0.1

References 1

  • support.broadcom.com https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711
    PatchVendor Advisory

Remediation

  • support.broadcom.com https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711
    PatchVendor Advisory