CVE-2019-5514

Name of the Vulnerable Software and Affected Versions VMware Fusion versions 11.x before 11.0.3

Description The issue is related to insufficient input validation in the VMware Fusion hypervisor interface. This can be exploited by a remote attacker to execute arbitrary JavaScript code or run arbitrary commands using the VMware Tools utility set. The vulnerability involves certain unauthenticated APIs that are accessible through a web socket, which can be exploited by tricking the host user into executing JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.

Recommendations For versions 11.x before 11.0.3, update to version 11.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the unauthenticated APIs accessible through the web socket to minimize the risk of exploitation. Additionally, avoid executing JavaScript code from untrusted sources on the host machine to prevent potential exploitation of the guest machine.