- From the developer tools console access in browser it was observed that iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.

- Below are the observation

 An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
VMware Transport v1.3.6 Initialized with Id: eventbus-25c43cf5-803a-4c14-alec-e01e9471af8d-1.3.6, Hi! [EventBus] (HH:MM:SS PM)


Access to XMLHttpRequest at 'https://feedback.esp.vmware.com/api/feedback/v1/trigger-events?client id=esp-prod-258-qczdg&component=static' from origin 'https://<vcsa-fqdn>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on
the requested resource.


X {headers: g, status: 0, statusText: 'Unknown Error', url: 'https://feedback.esp. vmware.com/api/feedback/v1/tr .. nts?client_id=esp-prod-258-qczdg&component=static', ok: false, ... }
GET https://feedback.esp.vmware.com/api/feedback/v1/trigger-events?client id=esp-prod-258-qczdg&component=static net :: ERR_FAILED 200 (OK)


Access to XMLHttpRequest at 'https://apigw. vmware.com/v1/m7/api/lumos/user/user-details?client id=esp-prod-258-qczdg' from origin 'https://<vcsa-fqdn>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested resource.


notificationService :: error
message =
stack trace = undefined


GET https://apigw.vmware.com/v1/m7/api/lumos/user/user-details?client id=esp-prod-258-qczdg net :: ERR_FAILED
A [GroupMarkerNotSet(crbug.com/242999) !: A07027004C470000]Automatic fallback to software WebGL has been deprecated. Please use the -- enable-unsafe-swiftshader flag to opt in to lower security guarantees for trusted content.

• The application is allowing iframe to get framed in another application.
  
  
• It might be possible for a web page controlled by an attacker to load the content of this response within an iframe on the attacker's page. This may enable a "clickjacking" attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.
  
  

vCenter 8.x

• WebInspect has detected the target application supports Origin: null for CORS requests, making it vulnerable to CORS attacks.
  
  
• Cross-Origin Resource Sharing, commonly referred to as CORS, is a technology that allows a domain to define a policy for its resources to be accessed by a web page hosted on a different domain using cross domain XML HTTP Requests (XHR). Historically, the browser restricts cross domain XHR requests to abide by the same origin policy. At its basic form, the same origin policy sets the script execution scope to the resources available on the current domain and prohibits any communication to domains outside this scope. Therefore, execution and incorporation of remote methods and functions hosted on domains outside of the current domain are effectively prohibited. While CORS is supported on all major browsers, it also requires that the domain correctly defines the CORS policy in order to have its resources shared with another domain.

• It appears plugin user interfaces are delivered inside iframes using the allow-same-origin attribute, and Envoy is proxying those UI requests. To reduce clickjacking/postMessage attack surface, the proxied responses should include X-Frame-Options: SAMEORIGIN. Without that header, a remote site could embed the iframe and respond to htmlClientSdk.internal.* postMessage traffic. While exploitation would typically require valid session identifiers or auth tokens (making practical compromise difficult), the combination of embedded plugin UIs and permissive framing still constitutes an avoidable risk depending on how third-party plugins display and process UI interactions. 
• To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself.

VMware is aware of this issue and working to resolve this in a vCenter future release.