Hand-Picked Top-Read Stories

Policy data may be lost when a CVAD site is upgraded from a previous version to 2402

15 views

Citrix VDA lose Registration after Cloud Connector Restart

16 views

Understanding Write Cache in Provisioning Services Server

26 views

Trending Tags

VMware Virtualisation

552 views

2 minute read

VMSA-2022-0006

21 March 2022

Moderate

Advisory ID:
VMSA-2022-0006

CVSSv3 Range:
6.6

Issue Date:
2022-02-23

Updated On:
2022-02-23 (Initial Advisory)

CVE(s):
CVE-2022-22944

Synopsis:
VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability (CVE-2022-22944)

1. Impacted Products

VMware Workspace ONE Boxer

2. Introduction

A stored cross-site scripting (XSS) vulnerability affecting VMware Workspace ONE Boxer was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3a. VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability (CVE-2022-22944)

Description

VMware Workspace ONE Boxer contains a stored cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.

Known Attack Vectors

Due to insufficient sanitization and validation, in VMware Workspace ONE Boxer calendar event descriptions, a malicious actor can inject script tags to execute arbitrary script within a user’s window.

Resolution

To remediate CVE-2022-22944 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Eugene Lim for reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
Workspace ONE Boxer	Any	iOS	CVE-2022-22944	6.6	moderate	22.02	None	None
Workspace ONE Boxer	Any	Android	CVE-2022-22944	N/A	N/A	Unaffected	N/A	N/A

4. References

Workspace ONE Boxer for iOS
https://docs.vmware.com/en/Workspace-ONE-Boxer/services/rn/vmware-workspace-one-boxer-for-ios-release-notes/index.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22944

FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

5. Change Log

2022-02-23: VMSA-2022-0006
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

VMware Security Advisories

https://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Copyright 2022 VMware Inc. All rights reserved.

Read full article (vmware.com)

All content and images belong to their respected owners, this article is for informational purposes only.

Leave a Reply Cancel reply

You must be logged in to post a comment.

Previous Post

VMware Virtualisation

VMSA-2022-0004

21 March 2022

Next Post

VMware Virtualisation

VMSA-2022-0007

21 March 2022