VMware Security Announcement VMSA-2020-0019

Today VMware released VMSA-2020-0019. This advisory affects VMware App Volumes. The updates address a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2020-3975)

Impacted Products
  • VMware App Volumes
Introduction

A Stored Cross-Site Scripting (XSS) vulnerability affecting VMware App Volumes was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

Advisory Details

Description

VMware App Volumes does not correctly validate user input when creating and editing applications or creating storage groups. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.5.

Known Attack Vectors

A malicious actor with access to create and edit applications or create storage groups, may be able to inject malicious script which will be executed by a victim's browser when viewing.

Resolution

For App Volumes 2.x, Apply version 2.18.6. Download links will be provided below.

For App Volumes 4, Apply version 2006. Download links will be provided below

Workarounds

None.

References

Fixed Version(s) and Release Notes:

VMware App Volumes 2.18.6

https://my.vmware.com/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_app_volumes/2_x
https://docs.vmware.com/en/VMware-App-Volumes/2.18.6/rn/VMware-App-Volumes-2186-Release-Notes.html

VMware App Volumes 4 2006

https://my.vmware.com/web/vmware/downloads/info/slug/desktop_end_user_computing/vmware_app_volumes/4_x
https://docs.vmware.com/en/VMware-App-Volumes/2006/rn/VMware-App-Volumes-4-version-2006.html

Here is the link to the official advisory from VMware

https://www.vmware.com/security/advisories/VMSA-2020-0019.html

Happy Patching!