CVSS: 7.8EPSS: 0%CPEs: 57EXPL: 0CVE-2021-21991
https://notcve.org/view.php?id=CVE-2021-21991
22 Sep 2021 — The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash). vCenter Server contiene una vulnerabilidad de escalada de privilegios local debido a la forma en que maneja los tokens de sesión. Un actor malicioso con acceso de usuario no admi... • https://www.vmware.com/security/advisories/VMSA-2021-0020.html •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-22008 – VMware vCenter Server Appliance Missing Authentication Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-22008
22 Sep 2021 — The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by sending a specially crafted json-rpc message to gain access to sensitive information. vCenter Server contiene una vulnerabilidad de divulgación de información en el servicio VAPI (vCenter API). Un actor malicioso con acceso de red al puerto 443 en vCenter Server puede explotar este problema mediante el envío de un men... • https://www.vmware.com/security/advisories/VMSA-2021-0020.html •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2021-22019 – VMware vCenter Server Appliance External Control of File Path Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2021-22019
22 Sep 2021 — The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. A malicious actor with network access to port 5480 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to create a denial of service condition. vCenter Server contiene una vulnerabilidad de denegación de servicio en el servicio VAPI (vCenter API). Un actor malicioso con acceso a la red al puerto 5480 en vCenter Server puede explotar este problema mediante el envío de un mensaje js... • https://www.vmware.com/security/advisories/VMSA-2021-0020.html •
CVSS: 7.8EPSS: 2%CPEs: 4EXPL: 3CVE-2021-22015 – VMware vCenter Server Appliance Incorrect Permission Assignment Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-22015
22 Sep 2021 — The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance. vCenter Server contiene múltiples vulnerabilidades de escalada de privilegios locales debido a permisos inapropiados de archivos y directorios. Un usuario local autenticado con privilegios no administrativos puede explotar est... • https://packetstorm.news/files/id/170116 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 10.0EPSS: 94%CPEs: 53EXPL: 12CVE-2021-21985 – VMware vCenter Server Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2021-21985
26 May 2021 — The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. VSphere Client (HTML5) contiene una vulnerabilidad de ejecución de código remota debido a una falta de comprobación de entrada en el pl... • https://packetstorm.news/files/id/163487 • CWE-20: Improper Input Validation CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 1%CPEs: 53EXPL: 0CVE-2021-21986 – VMware Security Advisory 2021-0010
https://notcve.org/view.php?id=CVE-2021-21986
26 May 2021 — The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication. VSphere Client (HTML5) contiene una vulnerabilidad en un mecanismo de autenticación de vSphere para los plugins Virtual SAN Health Check, Site Recovery,... • http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 87%CPEs: 43EXPL: 1CVE-2021-21973 – VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2021-21973
24 Feb 2021 — The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). El VSphere Client (HTML5) contie... • https://github.com/freakanonymous/CVE-2021-21973-Automateme • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 93%CPEs: 43EXPL: 36CVE-2021-21972 – VMware vCenter Server Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-21972
24 Feb 2021 — The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). El VSphere Client (HTML5) contiene una vulnerabilidad de ... • https://packetstorm.news/files/id/161695 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.4EPSS: 0%CPEs: 30EXPL: 0CVE-2020-3994
https://notcve.org/view.php?id=CVE-2020-3994
20 Oct 2020 — VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates. VMware vCenter Server (versiones 6.7 anteriores a 6.7u3, versiones 6.6 anterior... • https://www.vmware.com/security/advisories/VMSA-2020-0023.html • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 229EXPL: 0CVE-2020-3976
https://notcve.org/view.php?id=CVE-2020-3976
21 Aug 2020 — VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. VMware ESXi y vCenter Server, contienen una vulnerabilidad de denegación de servicio parcial en sus respectivos servicios de autenticación. VMware ha evaluado que la gravedad de este problema se encuentra en el rango de gravedad Moderada con una puntuación bas... • https://www.vmware.com/security/advisories/VMSA-2020-0018.html • CWE-400: Uncontrolled Resource Consumption •