Insufficient Data Validation in VMware Horizon DaaS Affects Users' Drives and Devices
CVE-2017-4897

5.5MEDIUM

Key Information:

Vendor
Vmware
Status
Horizon Daas
Vendor
CVE Published:
31 May 2017

Summary

VMware Horizon DaaS prior to version 7.0.0 is vulnerable due to inadequate validation of user data. This vulnerability allows attackers to exploit the system by deceiving users into connecting to a malicious server. Once connected, the attackers can gain access to users' drives and devices through a specially crafted RDP file that the victim unwittingly downloads by clicking on a harmful link. As the attack relies on user interaction, it poses a significant risk to unsuspecting individuals who utilize the DaaS client.

Affected Version(s)

Horizon DaaS prior to 7.0.0

References

http://www.securitytracker.com/id/1037951
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/96559
vdb-entryx_refsource_BID
http://www.vmware.com/security/advisories/VMSA-2017-0002....
x_refsource_CONFIRM

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.