CVE-2025-8386

Summary

The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privileges. The vulnerability can only be exploited during config-time operations within the IDE component of Application Server. Run-time components and operations are not affected.

Affected Software

VendorProductVersion RangeStatus
AVEVAApplication Server0 <= Versions 2023 R2 SP1 P02affected

Weaknesses

  • CWE-80: CWE-80

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References