The vulnerability, if exploited, could allow an authenticated miscreant
(with privilege of "aaConfigTools") to tamper with App Objects' help
files and persist a cross-site scripting (XSS) injection that when
executed by a victim user, can result in horizontal or vertical
escalation of privileges. The vulnerability can only be exploited during
config-time operations within the IDE component of Application Server.
Run-time components and operations are not affected.
AVEVA recommends that organizations evaluate the impact of these
vulnerabilities based on their operational environment, architecture,
and product implementation. Users using affected product versions should
apply security updates to mitigate the risk of exploit.
All affected versions of the Application Server IDE can be fixed by upgrading to AVEVA System Platform 2023 R2 SP1 P03 https://softwaresupportsp.aveva.com/en-US/downloads/products/details/d32b2534-9601-4beb-ac78-046ca2ef594d or higher.
The following general defensive measures are recommended:
- Audit assigned permissions to ensure that only trusted users are
added to the "aaConfigTools" OS Group. For additional information on
Application Server OS Security groups and accounts, see https://docs.aveva.com/bundle/sp-install/page/738031.html
For more information, see AVEVA's Security Bulletin AVEVA-2025-005 https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2025-005.pdf or AVEVA's bulletins page https://www.aveva.com/en/support-and-success/cyber-security-updates/ .