CVE-2017-4940
https://notcve.org/view.php?id=CVE-2017-4940
The ESXi Host Client in VMware ESXi (6.5 before ESXi650-201712103-SG, 5.5 before ESXi600-201711103-SG and 5.5 before ESXi550-201709102-SG) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker can exploit this vulnerability by injecting Javascript, which might get executed when other users access the Host Client. El ESXi Host Client en VMware ESXi (6.5 anteriores a la ESXi650-201712103-SG, 5.5 anteriores a la ESXi600-201711103-SG y 5.5 anteriores a la ESXi550-201709102-SG) contiene una vulnerabilidad que podría contener Cross-Site Scripting (XSS) persistente. Un atacante puede explotar esta vulnerabilidad inyectando código JavaScript que podría ejecutarse cuando otros usuarios acceden a Host Client. • http://www.securitytracker.com/id/1040024 https://www.vmware.com/security/advisories/VMSA-2017-0021.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-4925
https://notcve.org/view.php?id=CVE-2017-4925
VMware ESXi 6.5 without patch ESXi650-201707101-SG, ESXi 6.0 without patch ESXi600-201706101-SG, ESXi 5.5 without patch ESXi550-201709101-SG, Workstation (12.x before 12.5.3), Fusion (8.x before 8.5.4) contain a NULL pointer dereference vulnerability. This issue occurs when handling guest RPC requests. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware ESXi 6.5 sin el parche ESXi650-201707101-SG, ESXi 6.0 sin el parche ESXi600-201706101-SG, ESXi 5.5 sin el parche ESXi550-201709101-SG, Workstation (en versiones 12.x anteriores a la 12.5.3) y Fusion (en versiones 8.x anteriores a la 8.5.4) contienen una vulnerabilidad de desreferencia de puntero NULL. Este problema ocurre cuando se gestionan peticiones RPC por parte de un invitado. • http://www.securityfocus.com/bid/100842 http://www.securitytracker.com/id/1039367 http://www.securitytracker.com/id/1039368 https://www.vmware.com/security/advisories/VMSA-2017-0015.html • CWE-476: NULL Pointer Dereference •
CVE-2017-4903 – VMware Workstation SVGA Uninitialized Memory Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2017-4903
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, and 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 have an uninitialized stack memory usage in SVGA. This issue may allow a guest to execute code on the host. ESXi versiones 6.5 sin el parche ESXi650-201703410-SG, 6.0 U3 sin el parche ESXi600-201703401-SG, 6.0 U2 sin el parche ESXi600-201703403-SG, 6.0 U1 sin el parche ESXi600-201703402-SG, y 5.5 sin el parche ESXi550-20-20170140; Workstation Pro / Player versión 12.x anterior de 12.5.5; y Fusion Pro / Fusion versiones 8.x anterior a 8.5.6 de VMware, presenta un uso de memoria de la pila no inicializada en SVGA. Este problema puede permitir a un invitado ejecutar código en el host. This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of VMware Workstation. • http://www.securityfocus.com/bid/97160 http://www.securitytracker.com/id/1038148 http://www.securitytracker.com/id/1038149 http://www.vmware.com/security/advisories/VMSA-2017-0006.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2017-4904 – VMware Workstation Uninitialized Memory Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2017-4904
The XHCI controller in VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, and 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 has uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5. El controlador XHCI en ESXi versiones 6.5 sin parche ESXi650-201703410-SG, 6.0 U3 sin parche ESXi600-201703401-SG, 6.0 U2 sin parche ESXi600-201703403-SG, 6.0 U1 sin parche ESXi600-201703402-SG, y 5.5 sin parche ESXi550 -201703401-SG; Workstation Pro / Player versiones 12.x anteriores a 12.5.5; y Fusion Pro / Fusion versiones 8.x anteriores a 8.5.6 de VMware, presenta un uso de memoria no inicializada. Este problema puede permitir a un invitado ejecutar código en el host. • http://www.securityfocus.com/bid/97165 http://www.securitytracker.com/id/1038148 http://www.securitytracker.com/id/1038149 http://www.vmware.com/security/advisories/VMSA-2017-0006.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2017-4905 – VMware Workstation Uninitialized Memory Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2017-4905
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 have uninitialized memory usage. This issue may lead to an information leak. ESXi versiones 6.5 sin parche ESXi650-201703410-SG, 6.0 U3 sin parche ESXi600-201703401-SG, 6.0 U2 sin parche ESXi600-201703403-SG, 6.0 U1 sin parche ESXi600-201703402-SG, 5.5 sin parche ESXi550-201701401-SG; Workstation Pro / Player versiones 12.x anteriores a 12.5.5; y Fusion Pro / Fusion versiones 8.x anteriores a 8.5.6 de VMware, presenta un uso de memoria no inicializada. Este problema puede conducir a un filtrado de información. This vulnerability allows local attackers to disclose sensitive information on vulnerable installations of VMware Workstation. • https://www.exploit-db.com/exploits/47715 http://www.securityfocus.com/bid/97164 http://www.securitytracker.com/id/1038148 http://www.securitytracker.com/id/1038149 http://www.vmware.com/security/advisories/VMSA-2017-0006.html • CWE-908: Use of Uninitialized Resource •