Article Number: 000153612
Critical
NA
Stored Cross-Site Scripting (XSS) Vulnerability
CVE-2020-3955
9.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
VMware ESXi Host Client does not properly neutralize script-related HTML when viewing virtual machines. A malicious user with access to modify the system properties of a virtual machine (such as changing the hostname of the virtual machine from inside the guest) may be able to inject malicious script into the ESXi Host Client which may be executed when the UI displays these properties.
Stored Cross-Site Scripting (XSS) Vulnerability
CVE-2020-3955
9.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
VMware ESXi Host Client does not properly neutralize script-related HTML when viewing virtual machines. A malicious user with access to modify the system properties of a virtual machine (such as changing the hostname of the virtual machine from inside the guest) may be able to inject malicious script into the ESXi Host Client which may be executed when the UI displays these properties.
Affected products:
Dell EMC VxRail Appliance versions prior to 4.5.420
Dell EMC VxRail Appliance versions prior to 4.7.510
Remediation:
Dell EMC recommends VxRail 4.5.x users upgrade to version 4.5.420 at the earliest opportunity.
For VxRail 4.7.x users, a version to address this issue is expected shortly. Check back on this article for the expected update.
VxRail 4.5.420 Release notes:
https://support.emc.com/docu86659_VxRail-Appliance-Software-4.5.x-Release-Notes.pdf?language=en_US
VxRail 4.5.420 Download:
https://dl.dell.com/downloads/DL96918_VxRail-4.5.420-Composite-Upgrade-Package-for-4.5.x.zip
Affected products:
Dell EMC VxRail Appliance versions prior to 4.5.420
Dell EMC VxRail Appliance versions prior to 4.7.510
Remediation:
Dell EMC recommends VxRail 4.5.x users upgrade to version 4.5.420 at the earliest opportunity.
For VxRail 4.7.x users, a version to address this issue is expected shortly. Check back on this article for the expected update.
VxRail 4.5.420 Release notes:
https://support.emc.com/docu86659_VxRail-Appliance-Software-4.5.x-Release-Notes.pdf?language=en_US
VxRail 4.5.420 Download:
https://dl.dell.com/downloads/DL96918_VxRail-4.5.420-Composite-Upgrade-Package-for-4.5.x.zip
19 Nov 2021
5
Dell Security Advisory