PT-2017-16211 · Vmware · Vsphere Web Client+1

Published

2017-11-17

Updated

2018-10-30

CVE-2017-4928

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions vSphere Web Client versions 6.0 prior to 6.0 U3c vSphere Web Client versions 5.5 prior to 5.5 U3f

Description The flash-based vSphere Web Client contains issues due to improper neutralization of URLs, specifically Server-Side Request Forgery (SSRF) and CRLF injection. An attacker may exploit these issues by sending a POST request with modified headers towards internal services, leading to information disclosure.

Recommendations For vSphere Web Client versions 6.0 prior to 6.0 U3c, update to version 6.0 U3c or later. For vSphere Web Client versions 5.5 prior to 5.5 U3f, update to version 5.5 U3f or later.

Fix

CSRF

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352CWE-918

Related Identifiers

CVE-2017-4928

Affected Products

Vmware Vcenter

Vsphere Web Client

PT-2017-16211 · Vmware · Vsphere Web Client+1

CVE-2017-4928

Weakness Enumeration

Related Identifiers

Affected Products

References · 5