Vulnerability Management

VMWare patches XSS vulnerability in ESXI

VMWare has issued a patch fixing a Cross-Site Scripting vulnerability, rated as important, in VMware ESXi that could result in malicious script being executed by the victim’s browser.

The issue, CVE-2020-3955, impacts ESXI versions 6.5 and 6.7 and is due to the ESXI host client not properly neutralizing script-related HTML when viewing virtual machines attributes. Version 7.0 already contains the patch so is unaffected.

“A malicious actor with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim's browser when viewing this virtual machine via the ESXi Host Client,” VMWare reported.

Patches are available for each of the versions 6.5 and 6.7.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.