CVSS: 10.0EPSS: 94%CPEs: 13EXPL: 28CVE-2022-22954 – VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-22954
11 Apr 2022 — VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. VMware Workspace ONE Access y Identity Manager contienen una vulnerabilidad de ejecución de código remota debido a una inyección de plantillas del lado del servidor. Un actor malicioso con acceso a la red puede desencadenar una inyección de plantillas d... • https://packetstorm.news/files/id/166935 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 165EXPL: 0CVE-2021-22050
https://notcve.org/view.php?id=CVE-2021-22050
16 Feb 2022 — ESXi contains a slow HTTP POST denial-of-service vulnerability in rhttpproxy. A malicious actor with network access to ESXi may exploit this issue to create a denial-of-service condition by overwhelming rhttpproxy service with multiple requests. ESXi contiene una vulnerabilidad de denegación de servicio HTTP POST lenta en rhttpproxy. Un actor malicioso con acceso a la red de ESXi puede explotar este problema para crear una condición de denegación de servicio al abrumar el servicio rhttpproxy con múltiples p... • https://www.vmware.com/security/advisories/VMSA-2022-0004.html • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.7EPSS: 0%CPEs: 171EXPL: 0CVE-2021-22041
https://notcve.org/view.php?id=CVE-2021-22041
16 Feb 2022 — VMware ESXi, Workstation, and Fusion contain a double-fetch vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. VMware ESXi, Workstation y Fusion contienen una vulnerabilidad de doble búsqueda en el controlador USB UHCI. Un actor malicioso con privilegios administrativos locales en una máquina virtual puede aprovechar este problema para ejecutar c... • https://www.vmware.com/security/advisories/VMSA-2022-0004.html •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2021-22042
https://notcve.org/view.php?id=CVE-2021-22042
16 Feb 2022 — VMware ESXi contains an unauthorized access vulnerability due to VMX having access to settingsd authorization tickets. A malicious actor with privileges within the VMX process only, may be able to access settingsd service running as a high privileged user. VMware ESXi contiene una vulnerabilidad de acceso no autorizado debido a que VMX presenta acceso a los tickets de autorización de settingsd. Un actor malicioso con privilegios sólo dentro del proceso VMX, puede ser capaz de acceder al servicio settingsd q... • https://www.vmware.com/security/advisories/VMSA-2022-0004.html • CWE-863: Incorrect Authorization •
CVSS: 6.7EPSS: 0%CPEs: 173EXPL: 0CVE-2021-22040
https://notcve.org/view.php?id=CVE-2021-22040
16 Feb 2022 — VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. VMware ESXi, Workstation y Fusion contienen una vulnerabilidad de uso de memoria previamente liberada en el controlador USB XHCI. Un actor malicioso con privilegios administrativos locales en una máquina virtual puede aprovechar este p... • https://www.vmware.com/security/advisories/VMSA-2022-0004.html • CWE-416: Use After Free •
CVSS: 7.8EPSS: 4%CPEs: 218EXPL: 0CVE-2021-22045 – VMware Workstation SCSI Heap-based Buffer Overflow Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-22045
04 Jan 2022 — VMware ESXi (7.0, 6.7 before ESXi670-202111101-SG and 6.5 before ESXi650-202110101-SG), VMware Workstation (16.2.0) and VMware Fusion (12.2.0) contains a heap-overflow vulnerability in CD-ROM device emulation. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine. VMware ESXi (versiones 7.0, 6.7 anteriores a ESXi670-202111101-SG y 6.5 anteriores a ESXi... • http://packetstormsecurity.com/files/165440/VMware-Security-Advisory-2022-0001.html • CWE-787: Out-of-bounds Write •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-22035
https://notcve.org/view.php?id=CVE-2021-22035
13 Oct 2021 — VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment. VMware vRealize Log Insight (versiones 8.x anteriores a 8.6) contienen una vulnerabilidad de inyección de CSV (Valores Separados por Comas) en la función inter... • https://www.vmware.com/security/advisories/VMSA-2021-0022.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2021-22033
https://notcve.org/view.php?id=CVE-2021-22033
13 Oct 2021 — Releases prior to VMware vRealize Operations 8.6 contain a Server Side Request Forgery (SSRF) vulnerability. Las versiones anteriores a VMware vRealize Operations versión 8.6, contienen una vulnerabilidad de tipo Server Side Request Forgery (SSRF) • https://www.vmware.com/security/advisories/VMSA-2021-0021.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-22020
https://notcve.org/view.php?id=CVE-2021-22020
23 Sep 2021 — The vCenter Server contains a denial-of-service vulnerability in the Analytics service. Successful exploitation of this issue may allow an attacker to create a denial-of-service condition on vCenter Server. vCenter Server contiene una vulnerabilidad de denegación de servicio en el servicio Analytics. Una explotación con éxito de este problema puede permitir a un atacante crear una condición de denegación de servicio en vCenter Server • https://www.vmware.com/security/advisories/VMSA-2021-0020.html •
CVSS: 6.1EPSS: 2%CPEs: 2EXPL: 0CVE-2021-22016
https://notcve.org/view.php?id=CVE-2021-22016
23 Sep 2021 — The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. An attacker may exploit this issue to execute malicious scripts by tricking a victim into clicking a malicious link. vCenter Server contiene una vulnerabilidad de tipo cross-site scripting vulnerability reflejado debido a una falta de saneo de entrada. Un atacante puede explotar este problema para ejecutar scripts maliciosos al engañar a la víctima para que haga clic en un enlace malicioso • https://www.vmware.com/security/advisories/VMSA-2021-0020.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •