VMware View Portal 3.1 – Cross-Site Scripting

• Exploit Database
• 8 阅读

• 作者： Alexey Sintsov
  日期： 2010-05-14
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/12610/

• [DSECRG-09-058] Vmware View - XSS vulnerability
  
  Source:http://www.dsecrg.com/pages/vul/show.php?id=158
  
  Linked XSS in VMware Portal
  
  Digital Security Research Group [DSecRG] Advisory DSECRG-09-058
  
  Application: VMware View Portal
  Versions Affected: <= 3.1
  Vendor URL: http://www.vmware.com
  Bugs: XSS
  Exploits: YES
  Reported: 07.09.2009
  Vendor response: 21.09.2009
  Date of Public Advisory: 05.05.2010
  CVE: CVE-2010-1143
  Author: Alexey Sintsov
  from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
  
  
  Description
  ***********
  
  Linked XSS in VMware Portal
  
  
  Details
  *******
  
  An attacker may inject JavaScript code into url.
  
  Example:
  ********
  
  https://[VMware_Portal_IP]/not_a_real_page<SCRIPT>alert(/XSS/.source)</SCRIPT>
  
  Solution
  ********
  Update VmWare View to version 3.1.3
  
  References
  **********
  http://dsecrg.com/pages/vul/show.php?id=149
  http://lists.vmware.com/pipermail/security-announce/2010/000092.html
  
  
  About
  *****
  
  Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
  
  
  Contact: research [at] dsecrg [dot]com
  http://www.dsecrg.com