VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page. vCenter Server does not properly validate the presented certificate when establishing a connection to a CIM Server residing on an ESXi host. This may allow for a Man-in-the-middle attack against the CIM service.
Read VMware security advisory here - https://www.vmware.com/security/advisories/VMSA-2014-0012