VMWare has issued a patch fixing a Cross-Site Scripting vulnerability, rated as important, in VMware ESXi that could result in malicious script being executed by the victim’s browser.
The issue, CVE-2020-3955, impacts ESXI versions 6.5 and 6.7 and is due to the ESXI host client not properly neutralizing script-related HTML when viewing virtual machines attributes. Version 7.0 already contains the patch so is unaffected.
“A malicious actor with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim's browser when viewing this virtual machine via the ESXi Host Client,” VMWare reported.
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.