Support Content Notification - Support Portal

VMSA-2022-0019:VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities

Product/Component

VCF Operations/Automation (formerly VMware Aria Suite)

0 more products

Notification Id

23635

Last Updated

10 July 2022

Initial Publication Date

10 July 2022

Status

CLOSED

Severity

LOW

CVSS Base Score

3.9

WorkAround

Affected CVE

CVE-2022-31654,CVE-2022-31655

Advisory ID: VMSA-2022-0019

CVSSv3 Range: 3.9

Issue Date:2022-07-12

Updated On: 2022-07-12 (Initial Advisory)

CVE(s): CVE-2022-31654, CVE-2022-31655

Synopsis: VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities

1. Impacted Products

VMware vRealize Log Insight

2. Introduction

Multiple cross-site scripting vulnerabilities in vRealize Log Insight were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.

3. VMware vRealize Log Insight updates address multiple Cross Site Scripting (XSS) vulnerabilities (CVE-2022-31654, CVE-2022-31655)

Description

VMware vRealize Log Insight contains multiple stored cross-site scripting (XSS) vulnerabilities. VMware has evaluated the severity of these issues to be in the Low severity range with a maximum CVSSv3 base score of 3.9.

Known Attack Vectors

A malicious actor with admin privileges may be able to inject malicious code into alerts and configurations due to improper input sanitization.

Resolution

To remediate CVE-2022-31654 and CVE-2022-31655, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Subramanian S for reporting this issue to us.

Response Matrix:

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VMware vRealize Log Insight	8.x	Any	CVE-2022-31654, CVE-2022-31655	3.9	low	8.8.2	None	None