Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21990: VMSA-2021-0008

VMware Workspace one UEM console (2102 prior to 21.2.0.8, 2101 prior to 21.1.0.14, 2011 prior to 20.11.0.27, 2010 prior to 20.10.0.16,2008 prior to 20.8.0.28, 2007 prior to 20.7.0.14,2006 prior to 20.6.0.19, 2005 prior to 20.5.0.46, 2004 prior to 20.4.0.21, 2003 prior to 20.3.0.23, 2001 prior to 20.1.0.32, 1912 prior to 19.12.0.24) contain a cross-site scripting vulnerability. VMware Workspace ONE UEM console does not validate incoming requests during device enrollment after leading to rendering of unsanitized input on the user device in response.

CVE
#xss#vulnerability#vmware

Advisory ID: VMSA-2021-0008

CVSSv3 Range: 3.7

Issue Date: 2021-05-11

Updated On: 2021-05-11 (Initial Advisory)

CVE(s): CVE-2021-21990

Synopsis: VMware Workspace ONE UEM console patches address a cross-site scripting vulnerability (CVE-2021-21990)

Share this page on social media

Sign up for Security Advisories

****1. Impacted Products****

VMware Workspace ONE UEM console

****2. Introduction****

A cross-site scripting vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.

****3. Cross Site Scripting (XSS) vulnerability in VMware Workspace ONE UEM console (CVE-2021-21990)****

VMware Workspace ONE UEM console does not validate an incoming request during device enrollment.VMware has evaluated the severity of this issue to be in the low
severity range with a maximum CVSSv3 base score of 3.7.

A malicious actor may be able to inject code or redirect a user to another site during the enrollment process.

To remediate CVE-2021-21990, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

VMware would like to thank Mr. Lauritz Holtmann and Mr. Leif Enders of usd AG for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Workspace ONE UEM console

1912

Any

CVE-2021-21990

3.7

low

19.12.0.24

None

None

VMware Workspace ONE UEM console

2001

Any

CVE-2021-21990

3.7

low

20.1.0.32

None

None

VMware Workspace ONE UEM console

2003

Any

CVE-2021-21990

3.7

low

20.3.0.23

None

None

VMware Workspace ONE UEM console

2004

Any

CVE-2021-21990

3.7

low

20.4.0.21

None

None

VMware Workspace ONE UEM console

2005

Any

CVE-2021-21990

3.7

low

20.5.0.46

None

None

VMware Workspace ONE UEM console

2006

Any

CVE-2021-21990

3.7

low

20.6.0.19

None

None

VMware Workspace ONE UEM console

2007

Any

CVE-2021-21990

3.7

low

20.7.0.14

None

None

VMware Workspace ONE UEM console

2008

Any

CVE-2021-21990

3.7

low

20.8.0.28

None

None

VMware Workspace ONE UEM console

2010

Any

CVE-2021-21990

3.7

low

20.10.0.16

None

None

VMware Workspace ONE UEM console

2011

Any

CVE-2021-21990

3.7

low

20.11.0.27

None

None

VMware Workspace ONE UEM console

2101

Any

CVE-2021-21990

3.7

low

21.1.0.14

None

None

VMware Workspace ONE UEM console

2102

Any

CVE-2021-21990

3.7

low

21.2.0.8

None

None

****4. References****

****5. Change Log****

2021-05-11: VMSA-2021-21990
Initial security advisory.

****6. Contact****

Related news

CVE-2023-25201: Security Advisories - usd HeroLab

Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907