VMware View versions 3.1.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability is due to insufficient validation of user-supplied input to the View Manager component of the affected software.
An unauthenticated, remote attacker could exploit the vulnerability by convincing a targeted user visit a malicious link. If a user visits the malicious link, the attacker could execute arbitrary script code in the user's web browser in the security context of the affected website.
Proof-of-concept code that exploits this vulnerability is publicly available.
VMware has confirmed the vulnerability and released updated software.