VMware vCenter Server "flashvars" Cross-site Scripting Vulnerability Fixed by VMSA-2016-0006


Description   (:A cross-site scripting vulnerability was reported in VMware vCenter Server.:A remote attacker could exploit it by enticing their victim into opening a specially crafted link in order to execute arbitrary JavaScript or HTML code.::This vulnerability stems from 'flashvars' parameter of Flash Player which allows variables from a webpage.::A proof of concept is available.)
     
Vulnerable Products   Vulnerable Software:
vCenter Server (VMware) - 5.1, 5.1 Update 1, 5.1 Update 2, 5.1 Update 2a, 5.1 Update 2b, ..., 5.5 Update 3a, 5.5 Update 3b, 5.5 Update 3c, 6.0, 6.0 Update 1
     
Solution   - 5.1: 5.1 U3d.
     
CVE   CVE-2016-2078
     
References   - VMSA-2016-0006 : VMWare vSphere Web Client reflected cross-site scripting
https://www.vmware.com/security/advisories/VMSA-2016-0006.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : javascript code in flash clickTAG parameter
3.2.0
XSS - Prevention - GET : 'script' tag in flash clickTAG parameter
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-05-24 

 Target Type 
Server 

 Possible exploit 
Remote