VMware has issued updates for multiple packages. These fix vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, by malicious users to disclose sensitive information or manipulate certain data, and by malicious people to disclose sensitive information, conduct cross-site scripting attacks, manipulate certain data, bypass certain security restrictions, cause a DoS (Denial of Service), or compromise a user's system.

1) Multiple vulnerabilities can be exploited to disclose sensitive information, conduct cross-site scripting attacks, manipulate certain data, bypass certain security restrictions, cause a DoS, or compromise a user's system.

For more information:
SA27398
SA28274
SA28834
SA28878
SA30500
SA31381
SA34451
SA35326
SA36159

2) Input passed to WebWorks help pages is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

For more information:
SA38749

Solution
Apply patches.
Further details available to Secunia VIM customers

Provided and/or discovered by
2) Alex Kouzemtchenko of stratsec.

Changelog
Further details available to Secunia VIM customers

Original Advisory
VMSA-2009-0016:
http://lists.vmware.com/pipermail/security-announce/2010/000087.html

VMSA-2009-0017:
http://lists.vmware.com/pipermail/security-announce/2009/000073.html

stratsec:
http://www.stratsec.net/files/SS-09-001-Stratsec-VMWare%20WebWorks%20XSS%20Advisory%20v1.0.pdf

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers