This script is Copyright (C) 2010-2015 Tenable Network Security, Inc.
An application hosted on the remote web server has a cross-site
The version of WebAccess hosted on the remote VMware ESX server has a
cross-site scripting vulnerability. It is possible to specify which XML
web service to use for a given session by passing a specially crafted
value to the 'view' parameter of '/ui/vmDirect.do'.
A remote attacker could exploit this by tricking a user into requesting
a maliciously crafted URL, causing all SOAP requests (including
plaintext authentication credentials) to be sent to a host that is
controlled by the attacker.
This version of ESX likely has other vulnerabilities, though Nessus has
not checked for those.
See also :
Apply the relevant patch referenced in the VMware advisory, or disable
Risk factor :
Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.6
Public Exploit Available : true
Family: CGI abuses : XSS
Nessus Plugin ID: 45414 ()
Bugtraq ID: 39106
CVE ID: CVE-2009-2277
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.