CVE-2025-34521
BaseFortify
Publication date: 2025-08-27
Last updated on: 2025-09-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arcserve | udp | to 7.0 (exc) |
| arcserve | udp | From 8.0 (inc) to 10.2 (exc) |
| arcserve | udp | 7.0 |
| arcserve | udp | 7.0 |
| arcserve | udp | 7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) flaw in the web interface of Arcserve Unified Data Protection (UDP). It occurs because unsanitized user input is improperly reflected in HTTP responses. An attacker with low privileges can craft malicious links that, when clicked by another user, execute arbitrary JavaScript code in that user's browser. This can lead to session hijacking, credential theft, or other client-side impacts. Exploitation requires user interaction and happens within a shared browser context.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to hijack user sessions, steal credentials, or cause other harmful effects on the client side by executing malicious JavaScript in the victim's browser. This can compromise user accounts and sensitive information accessible through the affected web interface.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Arcserve UDP to version 10.2 or later, which includes the necessary patches. If you are running versions 8.0 through 10.1, apply the patch or upgrade to 10.2. Versions 7.x and earlier are unsupported and must be upgraded to 10.2 to remediate the issue.