VMware Cloud Foundation Operations contains multiple stored cross‑site scripting vulnerabilities. When a user with sufficient privileges creates policies, views or text‑widgets, the input can be saved and subsequently rendered by the application, allowing an attacker to inject malicious JavaScript. This injected script can then perform administrative actions within the system, effectively giving the attacker elevated control or access to sensitive data. The weakness reflects a stored cross‑site scripting flaw, a common web application security issue.

Affected vendors are VMware. The impacted products are VMware Cloud Foundation Operations, VMware Aria Operations and VMware Telco Cloud Platform. The advisory does not list specific version ranges; hence any installation older than the latest update should be considered vulnerable. Users are advised to confirm whether they are running a pre‑patch release and to update accordingly.

This vulnerability scores 8 on the CVSS scale, indicating a high severity impact. No EPSS score is available, so the public exploitation probability is uncertain, and the vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires the attacker to possess permissions to create policies, views or text‑widgets, meaning privileged user credentials or a prior privilege escalation. Once those prerequisites are met, the attacker can use the stored script to run arbitrary JavaScript in the context of the application, potentially increasing their privileges or accessing critical data.