CVE-2025-56535
Cross-Site Scripting (XSS) in OpenNebula
Publication date: 2026-04-29
Last updated on: 2026-04-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opennebula | opennebula | to 7.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue found in opennebula version 6.10.0.1. It allows attackers to execute arbitrary web scripts or HTML code by injecting a specially crafted payload into the zone attribute parameter.
How can this vulnerability impact me? :
The vulnerability can allow attackers to run malicious scripts in the context of the affected web application. This can lead to unauthorized actions such as stealing user session cookies, defacing web content, redirecting users to malicious sites, or performing actions on behalf of the user without their consent.
Can you explain this vulnerability to me?
CVE-2025-56535 is a stored cross-site scripting (XSS) vulnerability found in OpenNebula versions prior to 7.0. It exists specifically in the opennebula-sunstone component within the zone attribute parameter. An attacker can exploit this vulnerability by injecting a crafted malicious payload, such as a script, which then executes arbitrary JavaScript code when rendered in a user's browser.
This means that when a user accesses the affected part of the application, the injected script runs in their browser context, potentially allowing the attacker to perform unauthorized actions or steal sensitive information.
The vulnerability has been fixed in OpenNebula version 7.0 and later, so upgrading to these versions is recommended to mitigate the risk.
How can this vulnerability impact me? :
This stored XSS vulnerability can impact users by allowing attackers to execute arbitrary scripts in the context of the affected OpenNebula web application. This can lead to several security risks including:
- The attacker can steal session cookies or authentication tokens, potentially hijacking user accounts.
- Malicious scripts can manipulate or steal sensitive data displayed or accessible through the application.
- Attackers might perform actions on behalf of the user without their consent, leading to unauthorized operations.
- It can also be used as a vector to deliver further malware or phishing attacks targeting users of the application.
Overall, this vulnerability compromises the integrity and confidentiality of user interactions with the OpenNebula platform.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves injecting a crafted payload into the zone attribute parameter in OpenNebula versions prior to 7.0. Detection can involve checking for the presence of suspicious or malicious payloads such as `<image src =q onerror=prompt(8)>` in the zone attribute fields within the opennebula-sunstone component.
Since this is a stored cross-site scripting (XSS) vulnerability, you can detect it by inspecting the zone attribute parameter values in your OpenNebula environment for any injected scripts or unusual HTML content.
No specific commands are provided in the resources, but a practical approach would be to query or audit the zone attribute data stored in OpenNebula for suspicious script tags or event handlers.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenNebula to version 7.0 or later, where this vulnerability has been addressed.
Until the upgrade is possible, avoid allowing untrusted users to input data into the zone attribute parameter, and consider sanitizing or validating inputs to prevent injection of malicious scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2025-56535 vulnerability is a stored cross-site scripting (XSS) flaw that allows attackers to execute arbitrary scripts in the context of the affected OpenNebula application. Such vulnerabilities can potentially lead to unauthorized access to sensitive information or user sessions.
While the provided information does not explicitly mention compliance impacts, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of regulations like GDPR and HIPAA. Exploitation could lead to data breaches or unauthorized data exposure, thereby affecting compliance with these standards.
Mitigating this vulnerability by upgrading to OpenNebula version 7.0 or later, where the issue is fixed, is recommended to reduce the risk of non-compliance due to security incidents stemming from this flaw.