After authenticating through SSO using an unprivileged user with no specific rights in the system (except membership in the „Everyone“ group) no site pairs are displayed. However multiple API calls were available even with this unprivileged account.

 One vulnerable servlet available on /dr/impexFile (com.vmware.srm.client.sites.impex.exporter.ImpexFileServlet). This servlet accepted a value of FILE_GUID and used it as a path in a way vulnerable to path traversal. It attempted to read the file, return its contents to the user, and then delete it.

VMware Live Recovery 9.0.2

Issue is resolved in VMware Live Recovery 9.0.3.