VMware fixes XSS flaws in vRealize for Linux

The stored XSS vulnerabilities in vRealize affected only some versions, but could result in code execution

VMware patched two cross-site scripting issues in several editions of its vRealize cloud software. These flaws could be exploited in stored XSS attacks and could result in the user's workstation being compromised.

The input validation error exists in Linux versions of VMware vRealize Automation 6.x prior to 6.2.4 and vRealize Business Advanced and Enterprise 8.x prior to 8.2.5, VMware said in the advisory (VMSA-2016-0003). Linux users running affected versions should update to vRealize Automation 6.2.4 and vRealize Business Advanced and Enterprise 8.2.5 to address the problems. The issues do not affect vRealize Automation 7.x on Linux and 5.x on Windows, and vRealize Business 7.x and 6.x on Linux (vRealize Business Standard).

Both the flaw in the cloud automation tool vRealize Automation (CVE-2015-2344) and the one in the financial management software vRealize Business (CVE-2016-2075) were rated as "important." The stored XSS vulnerabilities would let attackers permanently store the injected script on target servers and retrieve them whenever the attacker tries to access the information.

According to the entry in the MITRE SVE database, the stored XSS flaws in both Linux applications "allows remote authenticated users to inject arbitrary Web script or HTML via unspecified vectors."

The software does not properly filter HTML code from user-supplied input, such as in a comment field or other types of input. As a result, a remote user can exploit the flaw to force the victim's Web browser to execute a malicious script. Since the browser thinks the code is originating from the user's workstation, the script runs in the security context of the system and can access the user's stored cookies (including the authentication cookies), access recently submitted form data, and perform other actions pretending to be the user.

Security Tracker, which lists information on security vulnerabilities, said the issues can result in disclosure of authentication information and execution of arbitrary code over the network, as well as disclosure and modification of user information.

VMware does not follow a set schedule for its security patches, but the vRealize patches would be the third update for 2016. VMware fixed a privilege escalation flaw in ESXi, Fusion, Player, and Workstation in January, and it closed the critical glibc vulnerability in February. The company also reissued an October patch in February addressing a remote code execution flaw in vCenter that could let unauthenticated users connect and run code.

The issue in vRealize Automation was reported by Lukasz Plonka of ING Services Polska. Last year, as an independent security consultant, Plonka reported a critical SQL injection flaw with a Common Vulnerability Scoring System rating of 9 in Cisco Secure Access Control System v5.5 and earlier. The vRealize Business vulnerability was reported by Alvaro Trigo Martin de Vidales, a senior IT security consultant with Deloitte Spain.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about AdvancedCiscoDeloitteLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

More videos

Blog Posts

Market Place