CVE-2014-3797: Reflected XSS Vulnerability in VMware Virtual Center Appliance (vCSA)

Trustwave SpiderLabs published an advisory today in conjunction with VMWare for a systemic reflected cross-site scripting vulnerability in the Web Application Console for the vCenter Server Appliance (vCSA). VCSA is used to manage the vSphere virtual environment and is a Linux alternative to vCenter server deployments.

The vulnerability, discovered by Tanya Secker, is primarily due to the error handler echoing back user supplied data without sanitizing it. The reflected cross-site scripting vulnerability allows an attacker to inject malicious scripts via a URL or otherwise that will ultimately be executed in the victim's web browser.

This vulnerability has been assigned CVE-2014-3797. Affected users can patch this vulnerability by upgrading to VMware Virtual Center Appliance (vCSA) Web Application Console 5.1 Update 3 at https://www.vmware.com/go/download-vsphere

For more details regarding this advisory please visit:

Trustwave's SpiderLabs Advisory (TWSL2014-016):
https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-016.txt

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.