Vulnerability Management

VMWare patches XSS vulnerability in ESXI

VMWare has issued a patch fixing a Cross-Site Scripting vulnerability, rated as important, in VMware ESXi that could result in malicious script being executed by the victim’s browser.

The issue, CVE-2020-3955, impacts ESXI versions 6.5 and 6.7 and is due to the ESXI host client not properly neutralizing script-related HTML when viewing virtual machines attributes. Version 7.0 already contains the patch so is unaffected.

“A malicious actor with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim's browser when viewing this virtual machine via the ESXi Host Client,” VMWare reported.

Patches are available for each of the versions 6.5 and 6.7.

Related

GAO: Most Biden cybersecurity EO requirements achieved

Forty-nine of 55 requirements under the Biden administration's executive order aimed at bolstering federal IT systems' cybersecurity defenses were noted by the Government Accountability Office to have already been fulfilled by the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget, and the National Institute of Standards and Technology, reports FedScoop.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.