CVE-2022-31663

Vulnerability

CVE-2022-31663 is a reflected cross-site scripting (XSS) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. The flaw stems from improper sanitization of user-supplied input, allowing injection of arbitrary JavaScript code into a target user's browser window [1]. Affected versions include VMware Workspace ONE Access (Access), Workspace ONE Access Connector (Access Connector), Identity Manager (vIDM), Identity Manager Connector, and VMware vRealize Automation, as listed in advisory VMSA-2022-0021 [1].

Exploitation

An attacker must trick a victim into clicking a crafted link or visiting a specially crafted URL that reflects malicious input back to the user. No privileged network position is required, but successful exploitation depends on user interaction—the victim must click the attacker-controlled link. The attack is reflected, so the malicious payload is not stored on the server; it executes only when the victim follows the crafted URL [1].

Impact

A successful attack enables the attacker to execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to information disclosure, session hijacking, or actions performed on behalf of the victim with the privileges of the affected application. The scope is the victim's browser session within the vulnerable VMware application [1].

Mitigation

VMware released fixed versions in advisory VMSA-2022-0021, with updates available for Workspace ONE Access (21.08.0.1, 21.08.0.2), Access Connector (21.08.0.1, 21.08.0.2), Identity Manager (3.3.7, 3.3.8), Identity Manager Connector (3.3.7, 3.3.8), and vRealize Automation 7.6 and 8.x series. Users should apply the latest patches as detailed in the advisory [1]. No workarounds are provided; upgrading is the only mitigation.