vSphere Web Client extensions run at the same privilege level as the user who is logged in. A malicious extension can masquerade as a useful plug-in and perform harmful operations such as stealing credentials or changing the system configuration. To increase security, use a vSphere Web Client installation that includes only authorized extensions from trusted sources.
A vCenter installation includes the vSphere Web Client extensibility framework. You can use this framework to extend the vSphere Web Client with menu selections or toolbar icons. The extensions can provide access to vCenter add-on components or external, Web-based functionality.
Using the extensibility framework results in a risk of introducing unintended capabilities. For example, if an administrator installs a plug-in in an instance of the vSphere Web Client, the plug-in can execute arbitrary commands with the privilege level of that administrator.
To protect against potential compromise of your vSphere Web Client, examine all installed plug-ins periodically and make sure that each plug-in comes from a trusted source.
You must have privileges to access the vCenter Single Sign-On service. These privileges differ from vCenter Server privileges.
- Log in to the vSphere Web Client as email@example.com or a user with vCenter Single Sign-On privileges.
- From the Home page, select Administration, and then select Client Plug-Ins under Solutions.
- Examine the list of client plug-ins.