CVE-2025-41228
4.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| VMware | vCenter Server | 8.0 < 8.0 U3e | affected |
| VMware | Cloud Foundation | 5.x, 4.5.x | affected |
| VMware | Telco Cloud Platform | 5.x, 4.x, 3.x, 2.x | affected |
| VMware | Telco Cloud Infrastructure | 3.x,2.x | affected |
| VMware | ESXi | 8.0 < ESXi80U3se-24659227 | affected |
| VMware | ESXi | 7.0 < ESXi70U3sv-24723868 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.