Home

Description

The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privileges. The vulnerability can only be exploited during config-time operations within the IDE component of Application Server. Run-time components and operations are not affected.

PUBLISHED Reserved 2025-07-30 | Published 2025-11-14 | Updated 2025-11-17 | Assigner icscert




MEDIUM: 6.9CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L

HIGH: 7.2CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H

Problem types

CWE-80

Product status

Default status
unaffected

Any version
affected

Credits

AVEVA reported this vulnerability to CISA. finder

References

www.aveva.com/...updates/SecurityBulletin-AVEVA-2025-005.pdf

www.cisa.gov/news-events/ics-advisories/icsa-25-317-02

github.com/...p/csaf_files/OT/white/2025/icsa-25-317-02.json

cve.org (CVE-2025-8386)

nvd.nist.gov (CVE-2025-8386)

Download JSON