Page 12 of 880 results (0.003 seconds)

CVSS: 7.5EPSS: 11%CPEs: 1EXPL: 0

Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure. This vulnerability allows remote attackers to disclose sensitive information on affected installations of VMware Aria Operations for Networks. Authentication is required to exploit this vulnerability. The specific flaw exists within the exportPDF method. The issue results from the lack of proper validation of a user-supplied string before using it to execute JavaScript code. • https://www.vmware.com/security/advisories/VMSA-2023-0012.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 8.8EPSS: 20%CPEs: 1EXPL: 0

Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of VMware Aria Operations for Networks. Authentication is required to exploit this vulnerability. The specific flaw exists within the getNotifiedEvents method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://www.vmware.com/security/advisories/VMSA-2023-0012.html • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 4

Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of VMware Aria Operations for Networks. Authentication is not required to exploit this vulnerability. The specific flaw exists within the createSupportBundle method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. • https://github.com/sinsinology/CVE-2023-20887 https://github.com/miko550/CVE-2023-20887 https://github.com/Malwareman007/CVE-2023-20887 http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.html https://www.vmware.com/security/advisories/VMSA-2023-0012.html https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0

VMware Tools for Windows (12.x.y prior to 12.1.5, 11.x.y and 10.x.y) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest OS, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-service condition in the Windows guest OS. • https://security.netapp.com/advisory/ntap-20221223-0009 https://security.netapp.com/advisory/ntap-20230824-0009 https://www.vmware.com/security/advisories/VMSA-2022-0029.html •

CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0

VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure. • https://www.vmware.com/security/advisories/VMSA-2023-0011.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •