Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN297 _____________________________________________________________________ DATE : 12/05/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Aria Suite versions prior to 8.18.1 patch 2, VMware Cloud Foundation versions 5.x, 4.x, VMware Telco Cloud Platform versions prior to 8.18.1 patch 2. ===================================================================== https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711 _____________________________________________________________________ VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249) Product/Component VMware Aria Suite VMware Cloud Foundation VMware Telco Cloud Platform Notification Id 25711 Last Updated 12 May 2025 Initial Publication Date 12 May 2025 Status OPEN Severity HIGH CVSS Base Score 8.2 WorkAround Affected CVE CVE-2025-22249 Advisory ID: VMSA-2025-0008 Advisory Severity: Important CVSSv3 Range: 8.2 Synopsis: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249) Issue date: 2025-05-12 Updated on: 2025-05-12 CVE(s) CVE-2025-22249 1. Impacted Products VMware Aria Automation VMware Cloud Foundation VMware Telco Cloud Platform 2. Introduction A DOM based Cross-Site Scripting (XSS) vulnerability in VMware Aria Automation was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. 3. DOM based Cross-site scripting(XSS) vulnerability (CVE-2025-22249) Description: VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2. Known Attack Vectors: A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL. Resolution: To remediate CVE-2025-22249, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds: None. Additional Documentation: None. Acknowledgements: VMware would like to thank Bartosz Reginiak for reporting this issue to us. Notes: None. Response Matrix: Product Version Running On CVE CVSSv3 Severity Fixed Version Workarounds Additional Documents VMware Aria Automation 8.18.x Any CVE-2025-22249 8.2 Important 8.18.1 patch 2 None None VMware Cloud Foundation 5.x, 4.x Any CVE-2025-22249 8.2 Important KB394224 None None VMware Telco Cloud Platform 5.x Any CVE-2025-22249 8.2 Important 8.18.1 patch 2 None None 4. References: Fixed Version(s) and Release Notes: Downloads and Documentation https://support.broadcom.com/web/ecx/solutiondetails?patchId=5850 https://knowledge.broadcom.com/external/article/394224 Additional Documentation: None. Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22249 FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 5. Change Log: 2025-05-12: VMSA-2025-0008 Initial security advisory. 6. Contact: E-mail: vmware.psirt@broadcom.com PGP key 
https://knowledge.broadcom.com/external/article/321551 VMware Security Advisories 
https://www.broadcom.com/support/vmware-security-advisories VMware External Vulnerability Response and Remediation Policy https://www.broadcom.com/support/vmware-services/security-response VMware Lifecycle Support Phases 
https://support.broadcom.com/group/ecx/productlifecycle VMware Security Blog 
https://blogs.vmware.com/security X https://x.com/VMwareSRC Copyright 2025 Broadcom All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================