CVSS: 10.0EPSS: 94%CPEs: 53EXPL: 12CVE-2021-21985 – VMware vCenter Server Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2021-21985
26 May 2021 — The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. VSphere Client (HTML5) contiene una vulnerabilidad de ejecución de código remota debido a una falta de comprobación de entrada en el pl... • https://packetstorm.news/files/id/163487 • CWE-20: Improper Input Validation CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 1%CPEs: 53EXPL: 0CVE-2021-21986 – VMware Security Advisory 2021-0010
https://notcve.org/view.php?id=CVE-2021-21986
26 May 2021 — The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication. VSphere Client (HTML5) contiene una vulnerabilidad en un mecanismo de autenticación de vSphere para los plugins Virtual SAN Health Check, Site Recovery,... • http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 87%CPEs: 43EXPL: 1CVE-2021-21973 – VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2021-21973
24 Feb 2021 — The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). El VSphere Client (HTML5) contie... • https://github.com/freakanonymous/CVE-2021-21973-Automateme • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 93%CPEs: 43EXPL: 36CVE-2021-21972 – VMware vCenter Server Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-21972
24 Feb 2021 — The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). El VSphere Client (HTML5) contiene una vulnerabilidad de ... • https://packetstorm.news/files/id/161695 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 229EXPL: 0CVE-2020-3976
https://notcve.org/view.php?id=CVE-2020-3976
21 Aug 2020 — VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. VMware ESXi y vCenter Server, contienen una vulnerabilidad de denegación de servicio parcial en sus respectivos servicios de autenticación. VMware ha evaluado que la gravedad de este problema se encuentra en el rango de gravedad Moderada con una puntuación bas... • https://www.vmware.com/security/advisories/VMSA-2020-0018.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 10.0EPSS: 88%CPEs: 345EXPL: 23CVE-2014-7169 – GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-7169
25 Sep 2014 — GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a ... • https://packetstorm.news/files/id/128650 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-228: Improper Handling of Syntactically Invalid Structure •
CVSS: 10.0EPSS: 94%CPEs: 345EXPL: 135CVE-2014-6271 – GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-6271
24 Sep 2014 — GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." N... • https://packetstorm.news/files/id/181111 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 26EXPL: 0CVE-2014-4258 – mysql: unspecified vulnerability related to SRINFOSC (CPU July 2014)
https://notcve.org/view.php?id=CVE-2014-4258
17 Jul 2014 — Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.37 and earlier and 5.6.17 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SRINFOSC. Vulnerabilidad no especificada en el componente MySQL Server en Oracle MySQL 5.5.37 y anteriores y 5.6.17 y anteriores permite a usuarios remotos autenticados afectar la confidencialidad, integridad y disponibilidad a través de vectores relacionados con SRINFOSC. Multiple sec... • http://lists.opensuse.org/opensuse-security-announce/2014-08/msg00012.html •
CVSS: 6.1EPSS: 2%CPEs: 30EXPL: 0CVE-2009-3731
https://notcve.org/view.php?id=CVE-2009-3731
16 Dec 2009 — Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) ... • http://archives.neohapsis.com/archives/bugtraq/2009-12/0229.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •