Description
VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or vCenter Server URL paths may exploit this issue to steal cookies or redirect to malicious websites.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected products
- VMware / Cloud Foundation5.x, 4.5.x – 5.x, 4.5.x
- VMware / ESXi8.0 – ESXi80U3se-24659227
- VMware / ESXi7.0 – ESXi70U3sv-24723868
- VMware / Telco Cloud Infrastructure3.x,2.x – 3.x,2.x
- VMware / Telco Cloud Platform5.x, 4.x, 3.x, 2.x – 5.x, 4.x, 3.x, 2.x
- VMware / vCenter Server8.0 – 8.0 U3e