PT-2011-3687 · Vmware+2 · Vi Client+2
Published
2011-06-06
·
Updated
2017-08-29
·
CVE-2011-2217
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Tom Sawyer GET Extension Factory versions 5.5.2.237
VI Client (aka VMware Infrastructure Client) versions 2.0.2 before Build 230598
VI Client (aka VMware Infrastructure Client) versions 2.5 before Build 204931
Description
The issue arises from certain ActiveX controls in Tom Sawyer GET Extension Factory not handling initialization within Internet Explorer properly. This allows remote attackers to execute arbitrary code or cause a denial of service due to memory corruption via a crafted HTML document.
Recommendations
For Tom Sawyer GET Extension Factory version 5.5.2.237, update to a version that properly handles ActiveX control initialization.
For VI Client (aka VMware Infrastructure Client) version 2.0.2, update to Build 230598 or later.
For VI Client (aka VMware Infrastructure Client) version 2.5, update to Build 204931 or later.
Exploit
Fix
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Internet Explorer
Tom Sawyer Get Extension Factory
Vi Client