Stored XSS in VMware Cloud Foundation Operations Admin Interface

VMware Cloud Foundation Operations contains multiple stored cross-site scripting (XSS) vulnerabilities that allow authenticated attackers with policy creation, view, or text-widget privileges to inject malicious scripts into the platform. These scripts execute in the context of administrative sessions, enabling attackers to perform unauthorized administrative actions. This vulnerability is particularly concerning because it requires only moderate privileges—not full administrator access—making it exploitable by a broader class of internal or compromised accounts. Organizations running VMware Cloud Foundation Operations are at risk, especially those with multiple administrators or service accounts that have delegated policy management capabilities.

While this CVE currently maps to zero Casky skills, practitioners defending against similar stored XSS patterns would benefit from Casky's Claude-powered analysis of input validation and output encoding weaknesses. Extended reasoning would identify attack chains involving T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts), and T1547 (Boot or Logon Autostart Execution) as attackers leverage stored scripts to execute commands with stolen or compromised credentials. Practitioners would see findings highlighting unvalidated policy parameters, widget content that bypasses sanitization, and persistent script payloads in configuration storage—indicators that attackers have achieved persistent code execution within the administrative interface itself.