VMware patches Stored XSS vulnerability (CVE-2020-3955) in ESXi

VMware has released a patch for a High severity Stored cross-site scripting (XSS) vulnerability in VMware ESXi.

As part of security advisory VMSA-2020-0008, the Stored XSS vulnerability CVE-2020-3947 impacts VMware ESXi versions 6.5 and 6.7. However, ESXi version 7.0 is not affected.

“The VMware ESXi Host Client does not properly neutralize script-related HTML when viewing virtual machines attributes,” VMware noted in the advisory.

“A malicious actor with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client.”

Although VMware rates the security update “Important”, the vulnerability sports a CVSS score of 8.3 that typically falls under High severity in most security circles.

Related Articles