CVE-2017-4928

The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vmwareCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
vmwarevcenter_server
5.5
vmwarevcenter_server
5.5:1
vmwarevcenter_server
5.5:1a
vmwarevcenter_server
5.5:1b
vmwarevcenter_server
5.5:1c
vmwarevcenter_server
5.5:2
vmwarevcenter_server
5.5:2b
vmwarevcenter_server
5.5:2d
vmwarevcenter_server
5.5:2e
vmwarevcenter_server
5.5:3
vmwarevcenter_server
5.5:3a
vmwarevcenter_server
5.5:3b
vmwarevcenter_server
5.5:3d
vmwarevcenter_server
5.5:3e
vmwarevcenter_server
5.5:b
vmwarevcenter_server
5.5:c
vmwarevcenter_server
6.0
vmwarevcenter_server
6.0:1
vmwarevcenter_server
6.0:1b
vmwarevcenter_server
6.0:2
vmwarevcenter_server
6.0:2a
vmwarevcenter_server
6.0:2m
vmwarevcenter_server
6.0:3
vmwarevcenter_server
6.0:3a
vmwarevcenter_server
6.0:3b
vmwarevcenter_server
6.0:a
vmwarevcenter_server
6.0:b
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/101785
http://www.securitytracker.com/id/1039759
https://www.vmware.com/security/advisories/VMSA-2017-0017.html
http://www.securityfocus.com/bid/101785
http://www.securitytracker.com/id/1039759
https://www.vmware.com/security/advisories/VMSA-2017-0017.html