VMware has released a patch for a High severity Stored cross-site scripting (XSS) vulnerability in VMware ESXi.
As part of security advisory VMSA-2020-0008, the Stored XSS vulnerability CVE-2020-3947 impacts VMware ESXi versions 6.5 and 6.7. However, ESXi version 7.0 is not affected.
“The VMware ESXi Host Client does not properly neutralize script-related HTML when viewing virtual machines attributes,” VMware noted in the advisory.
“A malicious actor with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client.”
Although VMware rates the security update “Important”, the vulnerability sports a CVSS score of 8.3 that typically falls under High severity in most security circles.