CVE-2023-20889 – VMware Aria Operations for Networks exportPDF Code Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-20889
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure. This vulnerability allows remote attackers to disclose sensitive information on affected installations of VMware Aria Operations for Networks. Authentication is required to exploit this vulnerability. The specific flaw exists within the exportPDF method. The issue results from the lack of proper validation of a user-supplied string before using it to execute JavaScript code. • https://www.vmware.com/security/advisories/VMSA-2023-0012.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2023-20888 – VMware Aria Operations for Networks getNotifiedEvents Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-20888
Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of VMware Aria Operations for Networks. Authentication is required to exploit this vulnerability. The specific flaw exists within the getNotifiedEvents method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://www.vmware.com/security/advisories/VMSA-2023-0012.html • CWE-502: Deserialization of Untrusted Data •
CVE-2022-31702 – VMware vRealize Network Insight createSupportBundle Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-31702
vRealize Network Insight (vRNI) contains a command injection vulnerability present in the vRNI REST API. A malicious actor with network access to the vRNI REST API can execute commands without authentication. vRealize Network Insight (vRNI) contiene una vulnerabilidad de inyección de comandos presente en la API REST de vRNI. Un actor malintencionado con acceso a la red de la API REST de vRNI puede ejecutar comandos sin autenticación. This vulnerability allows remote attackers to execute arbitrary code on affected installations of VMware vRealize Network Insight. Authentication is not required to exploit this vulnerability. The specific flaw exists within the createSupportBundle function. • https://www.vmware.com/security/advisories/VMSA-2022-0031.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •