VMware has blasted a bug in the web client for vSphere.
Bug VMSA-2016-0009 means “The vSphere Web Client contains a reflected cross-site scripting vulnerability due to a lack of input sanitization.” If an attacker sends you a malicious link, bad things are possible.
There's rich irony here, because vAdmins detest older releases of the vSphere Web Client. VMware does too: it recently announced a new Flash-free version.
If you're running vCenter Server 5.5 prior to 5.5 update 2d, version 5.1 prior to 5.1 update 3d or version 5.0 prior to 5.0 update 3g, get updating to the latest version available here. ®