VMSA-2023-0010:NSX-T update addresses cross-site scripting vulnerability

VMware Tanzu Application Service

0 more products

23672

21 May 2023

21 May 2023

CLOSED

MEDIUM

4.3

CVE-2023-20868

VMSA-2023-0010
4.3
2023-05-23
2023-05-23 (Initial Advisory)
CVE-2023-20868
NSX-T update addresses cross-site scripting vulnerability (CVE-2023-20868)
1. Impacted Products
  • NSX-T
2. Introduction

An XSS vulnerability in NSX-T was privately reported to VMware. Updates are available to address this vulnerability in affected VMware product.

3. NSX-T reflected XSS vulnerability (CVE-2023-20868)

Description

NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.

Known Attack Vectors

A remote attacker can inject HTML or JavaScript to redirect to malicious pages

Resolution

To remediate CVE-2023-20868 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None

Additional Documentation

An NSX async patch has been made available for VCF customers. Please see knowledge base article 88287 for more information.

Notes

None

Acknowledgements

VMware would like to thank Faisal Patel of Nationwide Building Society for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
NSX
4.x
Any
CVE-2023-20868
N/A
N/A
Unaffected
None
None
NSX-T
3.2.x
Any
CVE-2023-20868
None
None
NSX-T
3.1.x, 3.0.x
Any
CVE-2023-20868
N/A
N/A
Unaffected
None
None
Cloud Foundation (NSX-T)
4.5.x
Any
CVE-2023-20868
None
Cloud Foundation (NSX-T)
4.4.x, 4.3.x
Any
CVE-2023-20868
N/A
N/A
Unaffected
None
None
4. References
5. Change Log

2023-05-23 VMSA-2023-0010

Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

[email protected]  

[email protected]  

[email protected] 

 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2023 VMware Inc. All rights reserved.