Description
A maliciously crafted HTML payload, when rendered by the Autodesk Fusion desktop application, can trigger a Stored Cross-site Scripting (XSS) vulnerability. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Problem types
CWE-79 Cross-Site Scripting (XSS) - Stored
Product status
2602.1.25 (custom) before 2604.1.25
References
dl.appstreaming.autodesk.com/...Fusion Client Downloader.exe
dl.appstreaming.autodesk.com/...Fusion Client Downloader.dmg
www.autodesk.com/trust/security-advisories/adsk-sa-2025-0020
