CVE-2025-56535
Description
A cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the zone attribute parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in OpenNebula's zone attribute allows attackers to execute arbitrary web scripts when the crafted payload is rendered.
The vulnerability is a stored cross-site scripting (XSS) in OpenNebula versions prior to 7.0, specifically in the web interface component opennebula-sunstone. The 'zone' attribute parameter does not properly sanitize user input, allowing injection of arbitrary HTML/JavaScript [2].
Exploitation requires an authenticated user with privileges to modify zone attributes. The attacker injects a payload like <image src =q onerror=prompt(8)> which gets stored and executed when other users view the affected zone configuration [2]. No special network position is needed besides web access.
Impact includes theft of session cookies, defacement, or redirection to malicious sites, potentially compromising administrative accounts and infrastructure management.
The vulnerability is fixed in OpenNebula 7.0 Phoenix release [1]. Users are advised to upgrade to version 7.0 or later. No workarounds are documented.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:opennebula:opennebula:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:opennebula:opennebula:*:*:*:*:*:*:*:*range: <7.0.0
- (no CPE)range: =6.10.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- opennebula.io/opennebula-7/nvdProduct
News mentions
0No linked articles in our index yet.