VMWare has issued a patch fixing a Cross-Site Scripting vulnerability, rated as important, in VMware ESXi that could result in malicious script being executed by the victim’s browser.
The issue, CVE-2020-3955, impacts ESXI versions 6.5 and 6.7 and is due to the ESXI host client not properly neutralizing script-related HTML when viewing virtual machines attributes. Version 7.0 already contains the patch so is unaffected.
“A malicious actor with access to modify the system properties of a virtual machine from inside the guest os (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim’s browser when viewing this virtual machine via the ESXi Host Client,” VMWare reported.
Patches are available for each of the versions 6.5 and 6.7.