Cross-site request forgery (CSRF) vulnerability in VMware vRealize Log Insight 2.x and 3.x before 3.3.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

The VMware vRealize Log Insight application running on the remote host is 2.x or 3.x prior to 3.3.2. It is, therefore, affected by multiple vulnerabilities :

  - A cross-site scripting (XSS) vulnerability exists due to     improper validation of user-supplied input before     returning it to users. An unauthenticated, remote     attacker can exploit this, via a specially crafted     request, to execute arbitrary script code in a user's     browser session. (CVE-2016-2081)

  - A cross-site request forgery (XSRF) vulnerability exists     due to a failure to require multiple steps, explicit     confirmation, or a unique token when performing certain     sensitive actions. An unauthenticated, remote attacker     can exploit this, by convincing a user to follow a     specially crafted link, to hijack the authentication of     the user and replace trusted content in the UI.
    (CVE-2016-2082)

Detections

Analytics

CVE-2016-2082

high

Tenable Plugins

high