VMware Security Announcement VMSA-2020-0019
Today VMware released VMSA-2020-0019. This advisory affects VMware App Volumes. The updates address a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2020-3975)
- VMware App Volumes
A Stored Cross-Site Scripting (XSS) vulnerability affecting VMware App Volumes was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
VMware App Volumes does not correctly validate user input when creating and editing applications or creating storage groups. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.5.
Known Attack Vectors
A malicious actor with access to create and edit applications or create storage groups, may be able to inject malicious script which will be executed by a victim's browser when viewing.
For App Volumes 2.x, Apply version 2.18.6. Download links will be provided below.
For App Volumes 4, Apply version 2006. Download links will be provided below
Fixed Version(s) and Release Notes:
VMware App Volumes 2.18.6
VMware App Volumes 4 2006
Here is the link to the official advisory from VMware