Skip to content
cyberexploits
webappmultipletext

VMware View Portal 3.1 - Cross-Site Scripting

VMware View Portal 3.1 - Cross-Site Scripting

Publié le 2010-05-14

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/multiple/webapps/12610.txt7eac4c3a
raw
[DSECRG-09-058] Vmware View - XSS vulnerability



Source:http://www.dsecrg.com/pages/vul/show.php?id=158



Linked XSS in VMware Portal



Digital Security Research Group [DSecRG] Advisory DSECRG-09-058



Application: VMware View Portal

Versions Affected: <= 3.1

Vendor URL: http://www.vmware.com

Bugs: XSS

Exploits: YES

Reported: 07.09.2009

Vendor response: 21.09.2009

Date of Public Advisory: 05.05.2010

CVE: CVE-2010-1143

Author: Alexey Sintsov

from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)





Description

***********



Linked XSS in VMware Portal





Details

*******



An attacker may inject JavaScript code into url.



Example:

********



https://[VMware_Portal_IP]/not_a_real_page<SCRIPT>alert(/XSS/.source)</SCRIPT>



Solution

********

Update VmWare View to version 3.1.3



References

**********

http://dsecrg.com/pages/vul/show.php?id=149

http://lists.vmware.com/pipermail/security-announce/2010/000092.html





About

*****



Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.





Contact: research [at] dsecrg [dot]com

http://www.dsecrg.com 
Voir sur GitHub