VMware fixed a vulnerability in the Windows versions of its Horizon View product which could lead to information disclosure.
The desktop virtualization product suffers from a flaw that could allow a directory traversal on the Horizon View Connection Server, said security researcher Mike Arnold, aka “Bruk0ut,” who discovered the issue.
A remote attacker could exploit this weakness to gain access to some potentially sensitive information.
The flaw came in via Trend Micro’s Zero-Day Initiative (ZDI). ZDI has yet to make its advisory public, despite 160 days passing since the initial report. The company typically discloses vulnerabilities after 120 days, but it is possible that VMware requested an extension.
The security hole affects VMware Horizon View versions 5.x, 6.x and 7.x for Windows. The issue has been addressed with the release of versions 7.0.1, 6.2.3 and 5.3.7.
VMware has rated the vulnerability “important,” while ZDI has assigned it a CVSS score of 5.8, which puts it in the “medium” severity category.