To Customer Support To Customer Support

VMware warns of vCenter cross-site-scripting bug

  • 5 December 2014
  • 1 reply
  • 7 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54

Six quick fixes flicked to give vAdmins Friday snits

By Simon Sharwood, 5 Dec 2014  It's Friday! By later this afternoon you'll be working at half-pace and contemplating weekend fun.
Unless you run VMware's vCenter control freak, because Virtzilla has just revealed a nasty cross-site scripting flaw in the product.
 “VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page while they are logged in into vCenter,” says VMware's advisory, issued late on Thursday US time.
 
Full Article

1 reply

Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
More Details.
 
By Eduard Kovacs on December 05, 2014 VMware has released software updates to address a series of vulnerabilities affecting the company's popular vSphere virtualization platform.
 
The list of security bugs includes a cross-site scripting (XSS) flaw, a certificate validation issue, and various vulnerabilities affecting third-party libraries. The impacted products are VMware vCenter Server Appliance 5.1 prior to Update 3, VMware vCenter Server 5.5 prior to Update 2, VMware vCenter Server 5.1 prior to Update 3, VMware vCenter Server 5.0 prior to Update 3c, and VMware ESXi 5.1 without the ESXi510-201412101-SG patch, VMware revealed in an advisory published on Thursday.
 
The XSS vulnerability (CVE-2014-3797) was discovered and reported by Tanya Secker of Trustwave SpiderLabs. The security hole affects the vCenter Server Appliance (vCSA) and it can be exploited if the attacker can trick the victim into clicking on a maliciously crafted link while logged in to the application.
 
Full Article

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.