EUVD-2026-35030
GHSA-3q9r-4xf6-m724
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations.
Articles & Coverage 1
AnalysisAI
Stored cross-site scripting in VMware Cloud Foundation Operations (formerly VMware Aria Operations) allows authenticated users with policy, view, or text-widget creation privileges to inject scripts that execute in the browser context of other users, including administrators. The flaw spans VCF Operations 9.x, the legacy 5.x/Aria Operations 8.18.x line, and VMware Telco Cloud Platform 5.x, with a CVSS of 8.0 driven by high impact across confidentiality, integrity, and availability when a victim admin renders the malicious content. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold an authenticated VCF Operations / Aria Operations / Telco Cloud Platform account with at least one of the following privileges: create policies, create views, or create text-widgets - these are non-default for read-only or end-user roles but are commonly granted to operations and dashboard-authoring personas. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H reflects a network-reachable management UI, low attack complexity, low-privileged authenticated attacker, and required user interaction (an admin must open the poisoned view) - the H/H/H impact triad is unusual for XSS and signals that successful execution against an admin session enables takeover of the Operations instance, which itself holds broad read/write authority over the virtualization estate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A help-desk or junior operations user with delegated policy/view/widget authoring rights creates a custom view or text widget containing a malicious script payload in a field that is later rendered without encoding. When an administrator opens the dashboard, view, or policy detail to triage or review it, the script executes under the admin's authenticated session and performs administrative API actions - creating users, altering policies, or extracting inventory data - on the attacker's behalf. … |
| Remediation | Patch available per vendor advisory - consult Broadcom advisory 37513 at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37513 for the exact fixed builds applicable to your VCF Operations 9.1.x, 9.0.x, 5.x/Aria 8.18.x, or Telco Cloud Platform 5.x deployment, as the input data does not enumerate a single canonical fixed version string. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all deployments of VCF Operations 9.x, Aria Operations 8.18.x, and Telco Cloud Platform 5.x; audit which users hold policy, view, or text-widget creation privileges. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today