Preface: Cross-site scripting (XSS), is a type of attack in which malicious scripts are injected into websites and web applications for the purpose of running on the end user’s device.

Background: VMware Horizon provides virtual desktop and app capabilities to users utilizing VMware’s virtualization technology. A desktop operating system – typically Microsoft Windows – runs within a virtual machine on a hypervisor.

Vulnerability details:

CVE-2020-3998 – If Horizon Client for Windows is installed on the client computer, a malicious attacker may be able to exploit victim local privileges to retrieve hashed credentials.

CVE-2020-3997 – Successful exploitation of this vulnerability on Horizon server. It may allow an attacker to inject and execute malicious script.

Should you have interested to know the details, please refer to attached diagram. For Official announcement, please refer to link – https://www.vmware.com/security/advisories/VMSA-2020-0024.html