A security advisory posted on VMWare warns of two “important” vulnerabilities are found within the VMware vRealize Automation and VMware vRealize Business Advanced and Enterprise software platforms. The flaws, the company, said, could lead to the compromise of user workstations. Both are cross-site scripting (XSS) issues.
The first vulnerability, CVE-2015-2344, impacts VMware vRealize Automation 6.x before 6.2.4 on the Linux operating system, while the second flaw, CVE-2016-2075, affects VMware vRealize Business Advanced and Enterprise 8.x before 8.2.5, again on Linux only. NIST has labeled these CVE-2015-2344 and CVE-2016-2075.
An independent researcher, Lukasz Plonka, is credited with discovering the first XSS vulnerability. The second vulnerability was reported by Deloitte security researcher Alvaro Trigo Martin de Vidales.
According to ZDNet the two new patches follow the reissue of a security fix for a problem thought to have been adequately patched in October 2015, a critical remote code execution vulnerability in the vCenter Server platform.