LevelBlue SpiderLabs published an advisory today in conjunction with VMWare for a systemic reflected cross-site scripting vulnerability in the Web Application Console for the vCenter Server Appliance (vCSA). VCSA is used to manage the vSphere virtual environment and is a Linux alternative to vCenter server deployments.
The vulnerability, discovered by Tanya Secker, is primarily due to the error handler echoing back user supplied data without sanitizing it. The reflected cross-site scripting vulnerability allows an attacker to inject malicious scripts via a URL or otherwise that will ultimately be executed in the victim's web browser.
This vulnerability has been assigned CVE-2014-3797. Affected users can patch this vulnerability by upgrading to VMware Virtual Center Appliance (vCSA) Web Application Console 5.1 Update 3 at https://www.vmware.com/go/download-vsphere
For more details regarding this advisory please visit:
LevelBlue's SpiderLabs Advisory (TWSL2014-016):
TWSL2014-016
