CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2021-22019 – VMware vCenter Server Appliance External Control of File Path Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2021-22019
22 Sep 2021 — The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. A malicious actor with network access to port 5480 on vCenter Server may exploit this issue by sending a specially crafted jsonrpc message to create a denial of service condition. vCenter Server contiene una vulnerabilidad de denegación de servicio en el servicio VAPI (vCenter API). Un actor malicioso con acceso a la red al puerto 5480 en vCenter Server puede explotar este problema mediante el envío de un mensaje js... • https://www.vmware.com/security/advisories/VMSA-2021-0020.html •
CVSS: 7.8EPSS: 2%CPEs: 4EXPL: 3CVE-2021-22015 – VMware vCenter Server Appliance Incorrect Permission Assignment Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-22015
22 Sep 2021 — The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance. vCenter Server contiene múltiples vulnerabilidades de escalada de privilegios locales debido a permisos inapropiados de archivos y directorios. Un usuario local autenticado con privilegios no administrativos puede explotar est... • https://packetstorm.news/files/id/170116 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 10.0EPSS: 94%CPEs: 53EXPL: 12CVE-2021-21985 – VMware vCenter Server Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2021-21985
26 May 2021 — The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. VSphere Client (HTML5) contiene una vulnerabilidad de ejecución de código remota debido a una falta de comprobación de entrada en el pl... • https://packetstorm.news/files/id/163487 • CWE-20: Improper Input Validation CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 1%CPEs: 53EXPL: 0CVE-2021-21986 – VMware Security Advisory 2021-0010
https://notcve.org/view.php?id=CVE-2021-21986
26 May 2021 — The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication. VSphere Client (HTML5) contiene una vulnerabilidad en un mecanismo de autenticación de vSphere para los plugins Virtual SAN Health Check, Site Recovery,... • http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 87%CPEs: 43EXPL: 1CVE-2021-21973 – VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2021-21973
24 Feb 2021 — The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). El VSphere Client (HTML5) contie... • https://github.com/freakanonymous/CVE-2021-21973-Automateme • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 93%CPEs: 43EXPL: 36CVE-2021-21972 – VMware vCenter Server Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-21972
24 Feb 2021 — The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). El VSphere Client (HTML5) contiene una vulnerabilidad de ... • https://packetstorm.news/files/id/161695 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.4EPSS: 0%CPEs: 30EXPL: 0CVE-2020-3994
https://notcve.org/view.php?id=CVE-2020-3994
20 Oct 2020 — VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates. VMware vCenter Server (versiones 6.7 anteriores a 6.7u3, versiones 6.6 anterior... • https://www.vmware.com/security/advisories/VMSA-2020-0023.html • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 229EXPL: 0CVE-2020-3976
https://notcve.org/view.php?id=CVE-2020-3976
21 Aug 2020 — VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. VMware ESXi y vCenter Server, contienen una vulnerabilidad de denegación de servicio parcial en sus respectivos servicios de autenticación. VMware ha evaluado que la gravedad de este problema se encuentra en el rango de gravedad Moderada con una puntuación bas... • https://www.vmware.com/security/advisories/VMSA-2020-0018.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 12CVE-2020-3952 – VMware vCenter Server Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-3952
10 Apr 2020 — Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. Bajo determinadas condiciones, vmdir que se entrega con VMware vCenter Server, como parte de un Platform Services Controller (PSC) incorporado o externo, no implementa correctamente los controles de acceso. VMware vCenter Server contains an information disclosure vulnerability in the VMware Directory Service (vmdir) when t... • https://packetstorm.news/files/id/180774 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.9EPSS: 0%CPEs: 29EXPL: 0CVE-2019-5538
https://notcve.org/view.php?id=CVE-2019-5538
28 Oct 2019 — Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over SCP. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations. Una v... • https://www.vmware.com/security/advisories/VMSA-2019-0018.html • CWE-295: Improper Certificate Validation •