Summary: Broadcom has issued security updates to address five vulnerabilities in VMware Aria Operations and Aria Operations for Logs, which could allow attackers to gain elevated access or obtain sensitive information. The identified flaws primarily affect versions 8.x of the software and include issues ranging from credential exposure to cross-site scripting (XSS). All vulnerabilities have been patched in version 8.18.3 of the software.
Affected: VMware Aria Operations and Aria Operations for Logs
Keypoints:
- CVE-2025-22218: High-severity flaw allowing credential reading by actors with View Only Admin permissions (CVSS 8.5).
- CVE-2025-22219: XSS vulnerability that could allow script injection by non-admin users (CVSS 6.8).
- CVE-2025-22220: Non-admin users may perform admin-level operations via API access (CVSS 4.3).
- CVE-2025-22221: Potential XSS via script injection by admin users during delete actions (CVSS 5.2).
- CVE-2025-22222: Users exploiting a flaw to retrieve credentials for outbound plugins (CVSS 7.7).
Source: https://thehackernews.com/2025/01/broadcom-patches-vmware-aria-flaws.html