CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8372 – AirWatch Direct Object Reference
https://notcve.org/view.php?id=CVE-2014-8372
AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 (FP3) allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference. AirWatch by VMware On-Premise 7.3.x anterior a 7.3.3.0 (FP3) permite a usuarios remotos autenticados obtener la información y estadísticas organizativas de inquilinos arbitrarios a través de vectores que involucran una referencia de objeto directo. Multiple direct object reference vulnerabilities were found within the AirWatch cloud console. VMWare advised that these issues also affect on-premise AirWatch deployments. A malicious AirWatch user may leverage several direct object references to gain access to information regarding other AirWatch customers using the AirWatch cloud. • http://seclists.org/fulldisclosure/2014/Dec/44 http://www.vmware.com/security/advisories/VMSA-2014-0014.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-8373
https://notcve.org/view.php?id=CVE-2014-8373
The VMware Remote Console (VMRC) function in VMware vCloud Automation Center (vCAC) 6.0.1 through 6.1.1 allows remote authenticated users to gain privileges via vectors involving the "Connect (by) Using VMRC" function. La función VMware Remote Console (VMRC) en VMware vCloud Automation Center (vCAC) 6.0.1 hasta 6.1.1 permite a usuarios remotos autenticados ganar privilegios a través de vectores que involucran la función 'Connect (by) Using VMRC' (conectar utilizando VMRC). • http://packetstormsecurity.com/files/129455/VMware-Security-Advisory-2014-0013.html http://seclists.org/fulldisclosure/2014/Dec/33 http://secunia.com/advisories/61169 http://www.securityfocus.com/archive/1/534186/100/0/threaded http://www.securitytracker.com/id/1031323 http://www.vmware.com/security/advisories/VMSA-2014-0013.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-3797
https://notcve.org/view.php?id=CVE-2014-3797
Cross-site scripting (XSS) vulnerability in VMware vCenter Server Appliance (vCSA) 5.1 before Update 3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en VMware vCenter Server Appliance (vCSA) 5.1 anterior a Update 3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://seclists.org/fulldisclosure/2014/Dec/23 http://www.securityfocus.com/archive/1/534161/100/0/threaded http://www.vmware.com/security/advisories/VMSA-2014-0012.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2014-8371
https://notcve.org/view.php?id=CVE-2014-8371
VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, which allows man-in-the-middle attackers to spoof CIM servers via a crafted certificate. VMware vCenter Server Appliance (vCSA) 5.5 anterior a Update 2, 5.1 anterior a Update 3, y 5.0 anterior a Update 3c no valida correctamente los certificados cuando conecta a un servidor CIM en un anfitrión ESXi, lo que permite a atacantes man-in-the-middle suplantar servidores CIM a través de un certificado manipulado. • http://seclists.org/fulldisclosure/2014/Dec/23 http://www.securityfocus.com/archive/1/534161/100/0/threaded http://www.vmware.com/security/advisories/VMSA-2014-0012.html • CWE-310: Cryptographic Issues •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-3625 – Framework: directory traversal flaw
https://notcve.org/view.php?id=CVE-2014-3625
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. Vulnerabilidad de salto de directorio (Directory Traversal) en Pivotal Spring Framework versión 3.0.4 hasta 3.2.x anterior a 3.2.12, versión 4.0.x anterior a 4.0.8 y versión 4.1.x anterior a 4.1.2, permite a atacantes remotos leer archivos arbitrarios por medio de vectores no especificados, relacionados al manejo de recurso estático. A directory traversal flaw was found in the way the Spring Framework sanitized certain URLs. A remote attacker could use this flaw to obtain any file on the file system that was also accessible to the process in which the Spring web application was running. • http://rhn.redhat.com/errata/RHSA-2015-0236.html http://rhn.redhat.com/errata/RHSA-2015-0720.html http://www.pivotal.io/security/cve-2014-3625 https://jira.spring.io/browse/SPR-12354 https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html https://access.redhat.com/security/cve/CVE-2014-3625 https://bugzilla.redhat.com/show_bug.cgi?id=1165936 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •