The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
2017-11-17T14:29:00.483
2025-04-20T01:37:25.860
Deferred
CVSSv3.0: 7.5 (HIGH)
AV:N/AC:L/Au:N/C:P/I:N/A:N
10.0
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 5.5 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |
| Application | vmware | vcenter_server | 6.0 | Yes |