A code injection vulnerability exists in VMware Cloud Director that may lead to remote code execution. The security flaw was discovered by Tomas Melicher, and Lukas Vaclavik, penetration testers at Citadelo. Auditors found that an authenticated attacker can use the product s HTML and Flex user interfaces or API calls to send malicious traffic to the system. The issue received a severity rating of 8.8 (high), though Citadelo clearly shows the risk for enterprising using an outdated version of Cloud Director.
Source: https://www.bleepingcomputer.com/news/security/vmware-cloud-director-flaw-lets-hackers-take-over-virtual-datacenters/