Multiple cross-site scripting vulnerabilities in vRealize Log Insight were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.
Known Attack Vectors
A malicious actor with admin privileges may be able to inject malicious code into alerts and configurations due to improper input sanitization.
To remediate CVE-2022-31654 and CVE-2022-31655, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
VMware would like to thank Subramanian S for reporting this issue to us.
VMware vRealize Log Insight 8.8.2:
Mitre CVE Dictionary Links:
FIRST CVSSv3 Calculator:
CVE-2022-31654, CVE-2022-31655: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Initial security advisory.
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
PGP key at:
VMware Security Advisories
VMware Security Response Policy
VMware Lifecycle Support Phases
VMware Security & Compliance Blog
Copyright 2022 VMware Inc. All rights reserved.