CVE-2017-4926 - Vulnerability Details

Vendors	Products
Vmware	Vcenter Server

Link	Providers
http://www.securityfocus.com/bid/100844
http://www.securitytracker.com/id/1039364
https://www.vmware.com/security/advisories/VMSA-2017-0015.html

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "vCenter Server", "vendor": "VMware", "versions": [{"status": "affected", "version": "6.5 prior to 6.5 U1"}]}], "datePublic": "2017-09-14T00:00:00", "descriptions": [{"lang": "en", "value": "VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page."}], "problemTypes": [{"descriptions": [{"description": "Stored XSS", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-16T09:57:01", "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware"}, "references": [{"name": "1039364", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039364"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.vmware.com/security/advisories/VMSA-2017-0015.html"}, {"name": "100844", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/100844"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "DATE_PUBLIC": "2017-09-14T00:00:00", "ID": "CVE-2017-4926", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "vCenter Server", "version": {"version_data": [{"version_value": "6.5 prior to 6.5 U1"}]}}]}, "vendor_name": "VMware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Stored XSS"}]}]}, "references": {"reference_data": [{"name": "1039364", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039364"}, {"name": "https://www.vmware.com/security/advisories/VMSA-2017-0015.html", "refsource": "CONFIRM", "url": "https://www.vmware.com/security/advisories/VMSA-2017-0015.html"}, {"name": "100844", "refsource": "BID", "url": "http://www.securityfocus.com/bid/100844"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:47:43.302Z"}, "title": "CVE Program Container", "references": [{"name": "1039364", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1039364"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.vmware.com/security/advisories/VMSA-2017-0015.html"}, {"name": "100844", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/100844"}]}]}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2017-4926", "datePublished": "2017-09-15T13:00:00Z", "dateReserved": "2016-12-26T00:00:00", "dateUpdated": "2024-09-16T17:59:16.493Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : vCenter Server (string)

vendor : VMware (string)

versions : [ »

0 : { »

status : affected (string)

version : 6.5 prior to 6.5 U1 (string)

}

]

}

]

datePublic : 2017-09-14T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Stored XSS (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2017-09-16T09:57:01 (string)

orgId : dcf2e128-44bd-42ed-91e8-88f912c1401d (string)

shortName : vmware (string)

}

references : [ »

0 : { »

name : 1039364 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_SECTRACK (string)

]

url : http://www.securitytracker.com/id/1039364 (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://www.vmware.com/security/advisories/VMSA-2017-0015.html (string)

}

2 : { »

name : 100844 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

]

url : http://www.securityfocus.com/bid/100844 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@vmware.com (string)

DATE_PUBLIC : 2017-09-14T00:00:00 (string)

ID : CVE-2017-4926 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : vCenter Server (string)

version : { »

version_data : [ »

0 : { »

version_value : 6.5 prior to 6.5 U1 (string)

}

]

}

]

}

vendor_name : VMware (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Stored XSS (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : 1039364 (string)

refsource : SECTRACK (string)

url : http://www.securitytracker.com/id/1039364 (string)

}

1 : { »

name : https://www.vmware.com/security/advisories/VMSA-2017-0015.html (string)

refsource : CONFIRM (string)

url : https://www.vmware.com/security/advisories/VMSA-2017-0015.html (string)

}

2 : { »

name : 100844 (string)

refsource : BID (string)

url : http://www.securityfocus.com/bid/100844 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T14:47:43.302Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

name : 1039364 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_SECTRACK (string)

2 : x_transferred (string)

]

url : http://www.securitytracker.com/id/1039364 (string)

}

1 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://www.vmware.com/security/advisories/VMSA-2017-0015.html (string)

}

2 : { »

name : 100844 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

2 : x_transferred (string)

]

url : http://www.securityfocus.com/bid/100844 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : dcf2e128-44bd-42ed-91e8-88f912c1401d (string)

assignerShortName : vmware (string)

cveId : CVE-2017-4926 (string)

datePublished : 2017-09-15T13:00:00Z (string)

dateReserved : 2016-12-26T00:00:00 (string)

dateUpdated : 2024-09-16T17:59:16.493Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:vcenter_server:6.5:*:*:*:*:*:*:*", "matchCriteriaId": "3D97854C-DE5D-48B4-B5DB-C132E6D4B826", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page."}, {"lang": "es", "value": "VMware vCenter Server (en versiones 6.5 anteriores a la 6.5 U1) contiene una vulnerabilidad que podr\u00eda permitir ataques de Cross-Site Scripting (XSS) persistente. Un atacante con privilegios de usuario VC puede inyectar c\u00f3digos JavaScript maliciosos, que se ejecutar\u00e1n cuando otros usuarios VC accedan a la p\u00e1gina."}], "id": "CVE-2017-4926", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-09-15T13:29:00.277", "references": [{"source": "security@vmware.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100844"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039364"}, {"source": "security@vmware.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.vmware.com/security/advisories/VMSA-2017-0015.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/100844"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039364"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.vmware.com/security/advisories/VMSA-2017-0015.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:vmware:vcenter_server:6.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 3D97854C-DE5D-48B4-B5DB-C132E6D4B826 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. (string)

}

1 : { »

lang : es (string)

value : VMware vCenter Server (en versiones 6.5 anteriores a la 6.5 U1) contiene una vulnerabilidad que podría permitir ataques de Cross-Site Scripting (XSS) persistente. Un atacante con privilegios de usuario VC puede inyectar códigos JavaScript maliciosos, que se ejecutarán cuando otros usuarios VC accedan a la página. (string)

}

]

id : CVE-2017-4926 (string)

lastModified : 2025-04-20T01:37:25.860 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : LOW (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : NONE (string)

baseScore : 3.5 (number)

confidentialityImpact : NONE (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:S/C:N/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 6.8 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : true (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.4 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : LOW (string)

privilegesRequired : LOW (string)

scope : CHANGED (string)

userInteraction : REQUIRED (string)

vectorString : CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (string)

version : 3.0 (string)

}

exploitabilityScore : 2.3 (number)

impactScore : 2.7 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2017-09-15T13:29:00.277 (string)

references : [ »

0 : { »

source : security@vmware.com (string)

tags : [ »

0 : Third Party Advisory (string)

1 : VDB Entry (string)

]

url : http://www.securityfocus.com/bid/100844 (string)

}

1 : { »

source : security@vmware.com (string)

tags : [ »

0 : Third Party Advisory (string)

1 : VDB Entry (string)

]

url : http://www.securitytracker.com/id/1039364 (string)

}

2 : { »

source : security@vmware.com (string)

tags : [ »

0 : Patch (string)

1 : Vendor Advisory (string)

]

url : https://www.vmware.com/security/advisories/VMSA-2017-0015.html (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

1 : VDB Entry (string)

]

url : http://www.securityfocus.com/bid/100844 (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

1 : VDB Entry (string)

]

url : http://www.securitytracker.com/id/1039364 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Vendor Advisory (string)

]

url : https://www.vmware.com/security/advisories/VMSA-2017-0015.html (string)

}

]

sourceIdentifier : security@vmware.com (string)

vulnStatus : Deferred (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-79 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object