I'm not clear exactly what the issue is on this "critical" vulnerability.  Is the issue that if someone logs into vcenter admin privileges with the web client, then visits a malicious website while they are logged in, that the malicious website code could take over their session and get control of vCenter without the person seeing what is happening? Not sure I understand the risk...can someone clarify?