VMware Security Announcement VMSA-2020-0008

Today VMware released VMSA-2020-0008. This affects VMware ESXi, and the related patches address a Stored Cross-Site Scripting (XSS) vulnerability that was privately reported to VMware (CVE-2020-3955).

Patch links and information is listed below.

Impacted Products

VMware ESXi 6.5 and VMware ESXi 6.7. VMware ESXi 7 is not affected!

VMware ESXi patches address Stored Cross-Site Scripting (XSS) vulnerability (CVE-2020-3955)

The VMware ESXi Host Client does not properly neutralize script-related HTML when viewing virtual machines attributes. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3.

Known Attack Vectors:
A malicious actor with access to modify the system properties of a virtual machine from inside the guest OS (such as changing the hostname of the virtual machine) may be able to inject malicious script which will be executed by a victim's browser when viewing this virtual machine via the ESXi Host Client.


To remediate CVE-2020-3955 apply the following updates;

For ESXi 6.5‍ use ESXi650-201912104-SG

For ESXI 6.7 use ESXi670-202004103-SG


Fixed Version(s) and Release Notes: 

VMware ESXi 6.7ESXi670-202004103-SG


VMware ESXi 6.5ESXi650-201912104-SG

Link to VMware advisory


Happy Patching!