VMware patched two cross-site scripting issues in several editions of its vRealize cloud software. These flaws could be exploited in stored XSS attacks and could result in the user’s workstation being compromised.
The input validation error exists in Linux versions of VMware vRealize Automation 6.x prior to 6.2.4 and vRealize Business Advanced and Enterprise 8.x prior to 8.2.5, VMware said in the advisory (VMSA-2016-0003). Linux users running affected versions should update to vRealize Automation 6.2.4 and vRealize Business Advanced and Enterprise 8.2.5 to address the problems. The issues do not affect vRealize Automation 7.x on Linux and 5.x on Windows, and vRealize Business 7.x and 6.x on Linux (vRealize Business Standard).
Both the flaw in the cloud automation tool vRealize Automation (CVE-2015-2344) and the one in the financial management software vRealize Business (CVE-2016-2075) were rated as "important." The stored XSS vulnerabilities would let attackers permanently store the injected script on target servers and retrieve them whenever the attacker tries to access the information.
According to the entry in the MITRE SVE database, the stored XSS flaws in both Linux applications "allows remote authenticated users to inject arbitrary Web script or HTML via unspecified vectors."
The software does not properly filter HTML code from user-supplied input, such as in a comment field or other types of input. As a result, a remote user can exploit the flaw to force the victim’s Web browser to execute a malicious script. Since the browser thinks the code is originating from the user’s workstation, the script runs in the security context of the system and can access the user’s stored cookies (including the authentication cookies), access recently submitted form data, and perform other actions pretending to be the user.
Security Tracker , which lists information on security vulnerabilities, said the issues can result in disclosure of authentication information and execution of arbitrary code over the network, as well as disclosure and modification of user information.
VMware does not follow a set schedule for its security patches, but the vRealize patches would be the third update for 2016. VMware fixed a privilege escalation flaw in ESXi, Fusion, Player, and Workstation in January, and it closed the critical glibc vulnerability in February. The company also reissued an October patch in February addressing a remote code execution flaw in vCenter that could let unauthenticated users connect and run code.
The issue in vRealize Automation was reported by Lukasz Plonka of ING Services Polska. Last year, as an independent security consultant, Plonka reported a critical SQL injection flaw with a Common Vulnerability Scoring System rating of 9 in Cisco Secure Access Control System v5.5 and earlier. The vRealize Business vulnerability was reported by Alvaro Trigo Martin de Vidales, a senior IT security consultant with Deloitte Spain.