|VMware Security Advisory|
|Synopsis:||VMware vCenter Server updates address an important reflective cross-site scripting issue|
|Updated on:||2016-06-14 (Initial Advisory)|
cross-site scripting issue.
vCenter Server 5.1 prior to 5.1 update 3d
vCenter Server 5.0 prior to 5.0 update 3g
a. Important vCenter Server reflected cross-site scripting issue
The vSphere Web Client contains a reflected cross-site scripting
vulnerability due to a lack of input sanitization. An attacker can
exploit this issue by tricking a victim into clicking a malicious
VMware would like to thank Matt Schmidt for reporting this issue to
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2015-6931 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
|vCenter Server||6.0||Any||not affected|
|vCenter Server||5.5||Any||5.5 U2d *|
|vCenter Server||5.1||Any||5.1 U3d *|
|vCenter Server||5.0||Any||5.0 U3g *|
* The client side component of the vSphere Web Client does not need
to be updated to remediate CVE-2015-6931. Updating the vCenter
Server is sufficient to remediate this issue.
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
Downloads and Documentation:
Initial security advisory in conjunction with the release of VMware
vCenter Server 5.0 U3g on 2016-06-14.
Created on June 14, 2016 by Rick Scherer
Posted under Alert.
This blog has 6,406 views.