VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)
| Advisory ID: | VMSA-2025-0008 |
| Advisory Severity: | Important |
| CVSSv3 Range: | 8.2 |
| Synopsis: | VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249) |
| Issue date: | 2025-05-12 |
| Updated on: | 2025-05-12 |
| CVE(s) | CVE-2025-22249 |
1. Impacted Products
- VMware Aria Automation
- VMware Cloud Foundation
- VMware Telco Cloud Platform
2. Introduction
A DOM based Cross-Site Scripting (XSS) vulnerability in VMware Aria Automation was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
3. DOM based Cross-site scripting(XSS) vulnerability (CVE-2025-22249)
Description:
VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.
Known Attack Vectors:
A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
Resolution:
To remediate CVE-2025-22249, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Bartosz Reginiak for reporting this issue to us.
Notes:
None.
Response Matrix:
|
Product |
Version |
Running On |
CVE
|
CVSSv3
|
Severity |
Fixed Version |
Workarounds |
Additional Documents |
|---|---|---|---|---|---|---|---|---|
| VMware Aria Automation | 8.18.x | Any | CVE-2025-22249 | 8.2 | Important | 8.18.1 patch 2 | None | None |
| VMware Cloud Foundation | 5.x, 4.x | Any | CVE-2025-22249 | 8.2 | Important | KB394224 | None | None |
| VMware Telco Cloud Platform | 5.x | Any | CVE-2025-22249 | 8.2 | Important | 8.18.1 patch 2 | None | None |
4. References:
Fixed Version(s) and Release Notes:
Downloads and Documentation
https://support.broadcom.com/web/ecx/solutiondetails?patchId=5850
https://knowledge.broadcom.com/external/article/394224
Additional Documentation:
None.
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22249
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
5. Change Log:
2025-05-12: VMSA-2025-0008
Initial security advisory.
6. Contact:
E-mail: vmware.psirt@broadcom.com
PGP key
https://knowledge.broadcom.com/external/article/321551
VMware Security Advisories
https://www.broadcom.com/support/vmware-security-advisories
VMware External Vulnerability Response and Remediation Policy
https://www.broadcom.com/support/vmware-services/security-response
VMware Lifecycle Support Phases
https://support.broadcom.com/group/ecx/productlifecycle
VMware Security Blog
https://blogs.vmware.com/security
X
https://x.com/VMwareSRC
Copyright 2025 Broadcom All rights reserved.