CVE-2025-34521

Name of the Vulnerable Software and Affected Versions: Arcserve Unified Data Protection (UDP) versions prior to 10.2 Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1 Arcserve Unified Data Protection (UDP) versions 7.x and earlier

Description: A reflected cross-site scripting (XSS) vulnerability exists in the web interface of Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the victim’s browser. Successful exploitation may lead to session hijacking, credential theft, or other client-side impacts. The vulnerability requires user interaction and occurs within a shared browser context.

Recommendations: Arcserve Unified Data Protection (UDP) versions prior to 10.2: Upgrade to version 10.2 to remediate the issue. Arcserve Unified Data Protection (UDP) versions 8.0 through 10.1: Apply the necessary patch or upgrade to version 10.2. Arcserve Unified Data Protection (UDP) versions 7.x and earlier: Upgrade to version 10.2 to remediate the issue.