By Lerpong Intaraworrapath | May 16th, 2025
VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)
| Advisory ID: | VMSA-2025-0008 |
| Advisory Severity: | Important |
| CVSSv3 Range: | 8.2 |
| Synopsis: | VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249) |
| Issue date: | 2025-05-12 |
| Updated on: | 2025-05-12 (Initial Advisory) |
| CVE(s) | CVE-2025-22249 |
Impacted Products:
- VMware Aria Automation
- VMware Cloud Foundation
- VMware Telco Cloud Platform
Introduction:
A DOM based Cross-Site Scripting (XSS) vulnerability in VMware Aria Automation was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
DOM based Cross-site scripting(XSS) vulnerability (CVE-2025-22249)
Description:
VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.
Know Attack Vectors:
A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
Resolution:
To remediate CVE-2025-22249, apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Bartosz Reginiak for reporting this issue to us.
Notes:
None.
Response Matrix:
| Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Addition Documents |
| VMware Aria Automation | 8.18.x | Any | CVE-2025-22249 | 8.2 | Important | 8.18.1 patch 2 | None | None |
| VMware Cloud Foundation | 5.x, 4.x | Any | CVE-2025-22249 | 8.2 | Important | KB394224 | None | None |
| VMware Telco Cloud Platform | 5.x | Any | CVE-2025-22249 | 8.2 | Important | 8.18.1 patch 2 | None | None |
References:
Fixed Version(s) and Release Notes:
Downloads and Documentation
- https://support.broadcom.com/web/ecx/solutiondetails?patchId=5850
- https://knowledge.broadcom.com/external/article/394224
Additional Documentation:
None.
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22249
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Change Log:
2025-05-12: VMSA-2025-0008
Initial security advisory.