CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2012-0903
https://notcve.org/view.php?id=CVE-2012-0903
Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Desktop 7.1.2 b10978 allow remote attackers to inject arbitrary web script or HTML via the (1) Username or (2) MailBox Name. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Zimbra Desktop v7.1.2 b10978, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) Username o (2) MailBox Name. • http://packetstormsecurity.org/files/view/108715/VL-378.txt http://seclists.org/fulldisclosure/2012/Jan/244 http://www.securityfocus.com/bid/51436 http://www.vulnerability-lab.com/get_content.php?id=378 https://exchange.xforce.ibmcloud.com/vulnerabilities/72405 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 96%CPEs: 6EXPL: 1CVE-2011-4404 – VMware - Update Manager Directory Traversal
https://notcve.org/view.php?id=CVE-2011-4404
The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2 allows remote attackers to conduct directory traversal attacks and read arbitrary files via unspecified vectors, a related issue to CVE-2009-1523. La configuración por defecto del servidor HTTP en Jetty en vSphere Update Manager bajo VMware vCenter Update Manager v4.0 antes de la actualización 4 y v4.1 antes de la actualización 2 permite realizar ataques de salto de directorio y leer archivos arbitrarios a atacantes remotos a través de vectores no especificados. Se trata de un problema relacionado con CVE-2009 -1523. VMware Update Manager versions 4.1 prior to update 2 suffer from a directory traversal vulnerability. • https://www.exploit-db.com/exploits/18138 http://jetty.codehaus.org/jetty/jetty-6/xref/org/mortbay/jetty/handler/ResourceHandler.html http://jetty.codehaus.org/jetty/jetty-6/xref/org/mortbay/jetty/servlet/DefaultServlet.html http://www.securitytracker.com/id?1026341 http://www.vmware.com/security/advisories/VMSA-2011-0014.html https://www.vmware.com/security/advisories/VMSA-2011-0014.html http://dsecrg.com/pages/vul/show.php?id=342 • CWE-16: Configuration •
CVSS: 9.3EPSS: 27%CPEs: 18EXPL: 0CVE-2011-3868
https://notcve.org/view.php?id=CVE-2011-3868
Buffer overflow in VMware Workstation 7.x before 7.1.5, VMware Player 3.x before 3.1.5, VMware Fusion 3.1.x before 3.1.3, and VMware AMS allows remote attackers to execute arbitrary code via a crafted UDF filesystem in an ISO image. Desbordamiento de bufer en VMware Workstation 7.x anterior a v7.1.5, VMware Player v3.x anterior a v3.1.5, VMware Fusion v3.1.x anterior v3.1.3, y VMware AMS permite a atacantes remotos ejecutar código arbitrario mediante un systema de ficheros manipulado UDF en una imagen ISO • http://osvdb.org/76060 http://secunia.com/advisories/46241 http://security.gentoo.org/glsa/glsa-201209-25.xml http://www.securityfocus.com/archive/1/520005/100/0/threaded http://www.securityfocus.com/bid/49942 http://www.securitytracker.com/id?1026139 http://www.vmware.com/security/advisories/VMSA-2011-0011.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.1EPSS: 0%CPEs: 13EXPL: 0CVE-2011-2731
https://notcve.org/view.php?id=CVE-2011-2731
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread. Condición de carrera en el mecanismo RunAsManager en Mware SpringSource Spring Security antes de v2.0.7 y v3.0.x antes de v3.0.6 almacena el objeto Authentication en el contexto de seguridad compartida, lo que permite a atacantes remotos ganar privilegios a través de un hilo manipulado. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814 http://secunia.com/advisories/55155 http://support.springsource.com/security/cve-2011-2731 http://www.securitytracker.com/id/1029151 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2011-2894 – Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization
https://notcve.org/view.php?id=CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. Spring Framework v3.0.0 hasta la v3.0.5, v3.0.0 hasta la de Spring Security v3.0.5 y v2.0.0 y v2.0.6, y posiblemente otras versiones permite des-serializar objetos de fuentes no fiables, lo que permite a atacantes remotos eludir las restricciones de seguridad existentes y permite la ejecución de código no seguro (1) serializando una instancia de java.lang.Proxy y mediante el uso de InvocationHandler, o (2) accediendo a las interfaces internas AOP, como se demuestra con la des-serialización de una instancia de DefaultListableBeanFactory para ejecutar código arbitrario a través de la clase java.lang.Runtime. • http://osvdb.org/75263 http://securityreason.com/securityalert/8405 http://www.redhat.com/support/errata/RHSA-2011-1334.html http://www.securityfocus.com/archive/1/519593/100/0/threaded http://www.securityfocus.com/bid/49536 http://www.springsource.com/security/cve-2011-2894 https://exchange.xforce.ibmcloud.com/vulnerabilities/69687 https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894 https://access.redhat.com/security/cve/CVE-2011-2894 • CWE-502: Deserialization of Untrusted Data •