SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware vCenter Vendors:   VMware
VMware vCenter Server Input Validation Flaw Lets Remote Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1036112
SecurityTracker URL:  http://securitytracker.com/id/1036112
CVE Reference:   CVE-2015-6931   (Links to External Site)
Date:  Jun 15 2016
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.0 prior to 5.0 update 3g, 5.1 prior to 5.1 update 3d, 5.5 prior to 5.5 update 2d
Description:   A vulnerability was reported in VMware vCenter Server. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's vSphere Web Client. The code will originate from the site running the VMware vCenter Server software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Matt Schmidt reported this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the VMware vCenter Server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix (5.0 U3g, 5.1 U3d, 5.5 U2d).

[Editor's note: The vendor indicates that the vSphere Web Client component does not need to be updated.]

The vendor's advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2016-0009.html

Vendor URL:  www.vmware.com/security/advisories/VMSA-2016-0009.html (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  [Security-announce] NEW VMSA-2016-0009 VMware vCenter Server updates address an important reflective cross-site scripting issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0009
Synopsis:    VMware vCenter Server updates address an important
             reflective cross-site scripting issue
Issue date:  2016-06-14
Updated on:  2016-06-14 (Initial Advisory)
CVE number:  CVE-2015-6931
- ------------------------------------------------------------------------

1. Summary

   VMware vCenter Server updates address an important reflective
   cross-site scripting issue.

2. Relevant Releases

   vCenter Server 5.5 prior to 5.5 update 2d
   vCenter Server 5.1 prior to 5.1 update 3d
   vCenter Server 5.0 prior to 5.0 update 3g


3. Problem Description

   a. Important vCenter Server reflected cross-site scripting issue

   The vSphere Web Client contains a reflected cross-site scripting
   vulnerability due to a lack of input sanitization. An attacker can
   exploit this issue by tricking a victim into clicking a malicious
   link.

   VMware would like to thank Matt Schmidt for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2015-6931 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware             Product    Running   Replace with/
   Product            Version    on        Apply Patch
   ==============     =======    =======   =============
   vCenter Server     6.0        Any       not affected
   vCenter Server     5.5        Any       5.5 U2d *
   vCenter Server     5.1        Any       5.1 U3d *
   vCenter Server     5.0        Any       5.0 U3g *

   * The client side component of the vSphere Web Client does not need
     to be updated to remediate CVE-2015-6931. Updating the vCenter
     Server is sufficient to remediate this issue.


4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   vCenter Server
   --------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6931

- ------------------------------------------------------------------------

6. Change log

   2016-06-14 VMSA-2016-0009
   Initial security advisory in conjunction with the release of VMware
   vCenter Server 5.0 U3g on 2016-06-14.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

   security-announce at lists.vmware.com
   bugtraq at securityfocus.com
   fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFXYODdDEcm8Vbi9kMRAhi/AJ45s8NycL/AbvIawr+DK0QhGq19QwCeIJha
/NW3n6JSlZk+zaj6w33ZLyI=
=CSDo
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC