VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)

VMware Aria Suite

2 more products

25711

12 May 2025

12 May 2025

OPEN

HIGH

8.2

CVE-2025-22249

Advisory ID:  VMSA-2025-0008
Advisory Severity: Important
CVSSv3 Range: 8.2
Synopsis: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)
Issue date: 2025-05-12
Updated on: 2025-05-12
CVE(s) CVE-2025-22249

 

1. Impacted Products

  • VMware Aria Automation
  • VMware Cloud Foundation
  • VMware Telco Cloud Platform

2. Introduction

 A DOM based Cross-Site Scripting (XSS) vulnerability in VMware Aria Automation was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. 

3. DOM based Cross-site scripting(XSS) vulnerability (CVE-2025-22249) 

Description:

VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.

Known Attack Vectors:

A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.

Resolution:

To remediate CVE-2025-22249, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds:
None.

Additional Documentation:
None.

Acknowledgements:
VMware would like to thank Bartosz Reginiak for reporting this issue to us.

Notes:
None.

Response Matrix: 

Product

Version

Running On

CVE
CVSSv3

Severity

Fixed Version

Workarounds

Additional Documents

VMware Aria Automation 8.18.x Any CVE-2025-22249 8.2 Important 8.18.1 patch 2 None None
VMware Cloud Foundation 5.x, 4.x Any CVE-2025-22249 8.2 Important KB394224 None None
VMware Telco Cloud Platform 5.x Any CVE-2025-22249 8.2 Important 8.18.1 patch 2 None None

 

4. References:

Fixed Version(s) and Release Notes:

Downloads and Documentation

https://support.broadcom.com/web/ecx/solutiondetails?patchId=5850

https://knowledge.broadcom.com/external/article/394224

Additional Documentation:

None.

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22249

FIRST CVSSv3 Calculator:

https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

5. Change Log:

2025-05-12: VMSA-2025-0008
Initial security advisory.

6. Contact:

E-mail: vmware.psirt@broadcom.com

PGP key
https://knowledge.broadcom.com/external/article/321551

VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories

VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response

VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle

VMware Security Blog
https://blogs.vmware.com/security

X
https://x.com/VMwareSRC

Copyright 2025 Broadcom All rights reserved.