VMware patched two cross-site scripting vulnerabilities in its products this week that if exploited, could lead to the compromise of a user’s client workstation.
The bugs, stored XSS vulnerabilities and rated important, exist in the company’s vRealize Automation and vRealize Business Advanced and Enterprise platforms.
Linux users running 6.x of vRealize Automation, a cloud automation software product, and 8.x of vRealize Business Advanced and Enterprise, a financial management tool, are being urged to update. Users running any other builds of the software aren’t affected, according to a security advisory issued by the VMware on Tuesday.
The issue in the Automation version of vRealize was dug up by independent researcher Lukasz Plonka while the issue in the Business and Enterprise version was discovered by Alvaro Trigo Martin de Vidales, a senior IT security consultant with Deloitte Spain.
It’s the third issue that VMware has patched its products this year. The updates follow a set of patches the company released to address last month’s critical glibc vulnerability and a series of updates it pushed in January to address a privilege escalation bug in ESXi, Fusion, Player, and Workstation.
The company was forced to reissue a patch last month, from last October that it issued which failed to address a nasty remote code execution vulnerability in vCenter which let unauthenticated users connect to the vCenter Server and run code. While Windows Firewall mitigated the issue, officials with VMware still encouraged users to reapply the tweaked patch.