Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

CVE-2014-3797: Reflected XSS Vulnerability in VMware Virtual Center Appliance (vCSA)

Trustwave SpiderLabs published an advisory today in conjunction with VMWare for a systemic reflected cross-site scripting vulnerability in the Web Application Console for the vCenter Server Appliance (vCSA). VCSA is used to manage the vSphere virtual environment and is a Linux alternative to vCenter server deployments.

The vulnerability, discovered by Tanya Secker, is primarily due to the error handler echoing back user supplied data without sanitizing it. The reflected cross-site scripting vulnerability allows an attacker to inject malicious scripts via a URL or otherwise that will ultimately be executed in the victim's web browser.

This vulnerability has been assigned CVE-2014-3797. Affected users can patch this vulnerability by upgrading to VMware Virtual Center Appliance (vCSA) Web Application Console 5.1 Update 3 at https://www.vmware.com/go/download-vsphere

For more details regarding this advisory please visit:

Trustwave's SpiderLabs Advisory (TWSL2014-016):