a. Reflected cross-site scripting issue through flash parameter injection
The vSphere Web Client contains a reflected cross-site scripting vulnerability that occurs through flash parameter injection. An attacker can exploit this issue by tricking a victim into clicking a malicious link. VMware would like to thank John Page aka hyp3rlinx for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-2078 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.