The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
                
            References
                    | Link | Resource | 
|---|---|
| http://www.securityfocus.com/bid/101785 | Third Party Advisory VDB Entry | 
| http://www.securitytracker.com/id/1039759 | Third Party Advisory VDB Entry | 
| https://www.vmware.com/security/advisories/VMSA-2017-0017.html | Patch Vendor Advisory | 
| http://www.securityfocus.com/bid/101785 | Third Party Advisory VDB Entry | 
| http://www.securitytracker.com/id/1039759 | Third Party Advisory VDB Entry | 
| https://www.vmware.com/security/advisories/VMSA-2017-0017.html | Patch Vendor Advisory | 
Configurations
                    Configuration 1 (hide)
| 
 | 
History
                    No history.
Information
                Published : 2017-11-17 14:29
Updated : 2025-04-20 01:37
NVD link : CVE-2017-4928
Mitre link : CVE-2017-4928
CVE.ORG link : CVE-2017-4928
JSON object : View
Products Affected
                vmware
- vcenter_server
