Broadcom has disclosed three stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation Operations and related products. These flaws, identified as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, could allow authenticated attackers to inject malicious scripts, potentially enabling unauthorized administrative actions within the environment.
Details of the Vulnerabilities
Each vulnerability carries a CVSSv3 base score of 8.0, categorizing them as “Important” in severity. Stored XSS vulnerabilities are particularly concerning because the malicious payload is saved on the server and executed whenever a user accesses the compromised component, facilitating repeated attacks against multiple users.
According to Broadcom’s advisory, the vulnerabilities stem from improperly sanitized user inputs within VMware Cloud Foundation Operations. An attacker with privileges to create policies, views, or text-widgets could embed crafted scripts into these objects. When other users, including higher-privileged administrators, interact with these components, the malicious scripts execute in their session context, potentially allowing the attacker to perform unauthorized administrative actions.
Affected Products and Remediation
The vulnerabilities impact a range of Broadcom virtualization products, including:
- VMware Cloud Foundation Operations
- VMware Aria Operations
- VMware Cloud Foundation
- VMware vSphere Foundation
- VMware Telco Cloud Platform
Broadcom has released patches to address these issues. Administrators are urged to apply the following updates promptly:
| Product | Affected Version | Fixed Version |
|---|---|---|
| VMware Cloud Foundation Operations | 9.1.x.x | 9.1.0.0 |
| VMware Cloud Foundation Operations | 9.0.x.x | 9.0.2.0 EP2 |
| VMware Aria Operations | 8.x | 8.18.6 |
| VMware Aria Operations | 8.x | 8.18.7 |
| VMware Cloud Foundation | 5.x | 8.18.7 |
| VMware Telco Cloud Platform | 5.x | Refer to KB443138 |
Given the absence of workarounds, immediate patching is the only effective mitigation strategy. Additionally, organizations should review and restrict permissions for creating policies, views, and text-widgets to minimize the risk of exploitation.
These vulnerabilities underscore the critical importance of rigorous input validation and access control within administrative interfaces. Organizations must remain vigilant, ensuring timely application of security patches and continuous monitoring of user privileges to safeguard against such threats.
Source: Cyber Security News
