Headline
CVE-2021-21990: VMSA-2021-0008
VMware Workspace one UEM console (2102 prior to 21.2.0.8, 2101 prior to 21.1.0.14, 2011 prior to 20.11.0.27, 2010 prior to 20.10.0.16,2008 prior to 20.8.0.28, 2007 prior to 20.7.0.14,2006 prior to 20.6.0.19, 2005 prior to 20.5.0.46, 2004 prior to 20.4.0.21, 2003 prior to 20.3.0.23, 2001 prior to 20.1.0.32, 1912 prior to 19.12.0.24) contain a cross-site scripting vulnerability. VMware Workspace ONE UEM console does not validate incoming requests during device enrollment after leading to rendering of unsanitized input on the user device in response.
Advisory ID: VMSA-2021-0008
CVSSv3 Range: 3.7
Issue Date: 2021-05-11
Updated On: 2021-05-11 (Initial Advisory)
CVE(s): CVE-2021-21990
Synopsis: VMware Workspace ONE UEM console patches address a cross-site scripting vulnerability (CVE-2021-21990)
Share this page on social media
Sign up for Security Advisories
****1. Impacted Products****
VMware Workspace ONE UEM console
****2. Introduction****
A cross-site scripting vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
****3. Cross Site Scripting (XSS) vulnerability in VMware Workspace ONE UEM console (CVE-2021-21990)****
VMware Workspace ONE UEM console does not validate an incoming request during device enrollment.VMware has evaluated the severity of this issue to be in the low
severity range with a maximum CVSSv3 base score of 3.7.
A malicious actor may be able to inject code or redirect a user to another site during the enrollment process.
To remediate CVE-2021-21990, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
VMware would like to thank Mr. Lauritz Holtmann and Mr. Leif Enders of usd AG for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware Workspace ONE UEM console
1912
Any
CVE-2021-21990
3.7
low
19.12.0.24
None
None
VMware Workspace ONE UEM console
2001
Any
CVE-2021-21990
3.7
low
20.1.0.32
None
None
VMware Workspace ONE UEM console
2003
Any
CVE-2021-21990
3.7
low
20.3.0.23
None
None
VMware Workspace ONE UEM console
2004
Any
CVE-2021-21990
3.7
low
20.4.0.21
None
None
VMware Workspace ONE UEM console
2005
Any
CVE-2021-21990
3.7
low
20.5.0.46
None
None
VMware Workspace ONE UEM console
2006
Any
CVE-2021-21990
3.7
low
20.6.0.19
None
None
VMware Workspace ONE UEM console
2007
Any
CVE-2021-21990
3.7
low
20.7.0.14
None
None
VMware Workspace ONE UEM console
2008
Any
CVE-2021-21990
3.7
low
20.8.0.28
None
None
VMware Workspace ONE UEM console
2010
Any
CVE-2021-21990
3.7
low
20.10.0.16
None
None
VMware Workspace ONE UEM console
2011
Any
CVE-2021-21990
3.7
low
20.11.0.27
None
None
VMware Workspace ONE UEM console
2101
Any
CVE-2021-21990
3.7
low
21.1.0.14
None
None
VMware Workspace ONE UEM console
2102
Any
CVE-2021-21990
3.7
low
21.2.0.8
None
None
****4. References****
****5. Change Log****
2021-05-11: VMSA-2021-21990
Initial security advisory.
****6. Contact****
Related news
Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.