CVE-2025-22249 - Vulnerability Details

CVE-2025-22249 - VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Vmware	Aria Automation Cloud Foundation Telco Cloud Platform

Configuration 1 [-]

OR	cpe:2.3:a:vmware:aria_automation:8.18.0:::::::*
	cpe:2.3:a:vmware:aria_automation:8.18.1:-::::::
	cpe:2.3:a:vmware:aria_automation:8.18.1:patch1::::::
	cpe:2.3:a:vmware:cloud_foundation::::::::
	cpe:2.3:a:vmware:telco_cloud_platform::::::::

No data.

References

Link	Providers
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00046}`	epss `{'score': 0.00047}`

Fri, 11 Jul 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vmware Vmware aria Automation Vmware cloud Foundation Vmware telco Cloud Platform
CPEs		cpe:2.3:a:vmware:aria_automation:8.18.0:::::::* cpe:2.3:a:vmware:aria_automation:8.18.1:-:::::: cpe:2.3:a:vmware:aria_automation:8.18.1:patch1:::::: cpe:2.3:a:vmware:cloud_foundation:::::::: cpe:2.3:a:vmware:telco_cloud_platform::::::::
Vendors & Products		Vmware Vmware aria Automation Vmware cloud Foundation Vmware telco Cloud Platform

Tue, 13 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 13 May 2025 05:30:00 +0000

Type	Values Removed	Values Added
Description		VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
Title		VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)
References		https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2025-05-13T05:08:03.265Z

Updated: 2025-05-13T13:49:59.998Z

Reserved: 2025-01-02T04:30:19.929Z

Link: CVE-2025-22249

Vulnrichment

Updated: 2025-05-13T13:49:53.231Z

NVD

Status : Analyzed

Published: 2025-05-13T06:15:36.403

Modified: 2025-07-11T14:27:30.537

Link: CVE-2025-22249

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object