a. VMware AirWatch Console stored XSS vulnerability
VMware AirWatch Console contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device’s ‘Links’ page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL.
VMware would like to thank Nicodemo Gawronski for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4930 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
CPE | Name | Operator | Version |
---|---|---|---|
airwatch console | lt | 9.2.0+ | |
airwatch launcher for android | lt | 3.2.2 |
kb.vmware.com/kb/2078735
lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4930
www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4931
www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4932
www.vmware.com/security/advisories
blogs.vmware.com/security
kb.vmware.com/kb/1055
my.air-watch.com/products/AirWatch-Launcher/Android/v3.2.2/awall
support.air-watch.com/articles/115012658907
twitter.com/VMwareSRC
www.vmware.com/support/policies/lifecycle.html
www.vmware.com/support/policies/security_response.html