CVE-2025-34521 MEDIUM

CVE-2025-34521: Arcserve UDP < 10.2 Reflected Cross-Site Scripting (XSS)

Vendor Arcserve
Product Unified Data Protection (UDP)
Weakness CWE-79 · XSS
Published August 27, 2025
Last update May 15, 2026
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the victim’s browser. Successful exploitation may lead to session hijacking, credential theft, or other client-side impacts. The vulnerability requires user interaction and occurs within a shared browser context. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue.

Key dates

02Disclosure timeline

August 27, 2025 CVE published
May 15, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-43051 IBM Cognos Analytics cross-site scripting CVE-2024-53964 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2025-57908 WordPress Product Time Countdown for WooCommerce plugin <= 1.6.5 - Cross Site Scripting (XSS) vulnerability CVE-2022-2690 SourceCodester Wedding Hall Booking System Booking Form cross site scripting CVE-2024-32542 WordPress Bulk Block Converter plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability