CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22246
https://notcve.org/view.php?id=CVE-2024-22246
02 Apr 2024 — VMware SD-WAN Edge contains an unauthenticated command injection vulnerability potentially leading to remote code execution. A malicious actor with local access to the Edge Router UI during activation may be able to perform a command injection attack that could lead to full control of the router. VMware SD-WAN Edge contiene una vulnerabilidad de inyección de comandos no autenticados que podría conducir a la ejecución remota de código. Un actor malintencionado con acceso local a la interfaz de usuario del Ro... • https://www.vmware.com/security/advisories/VMSA-2024-0008.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.4EPSS: 19%CPEs: 3EXPL: 0CVE-2024-22259 – CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)
https://notcve.org/view.php?id=CVE-2024-22259
16 Mar 2024 — Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. Las aplicaciones que utilizan UriComponentsBuilder ... • https://security.netapp.com/advisory/ntap-20240524-0002 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22256
https://notcve.org/view.php?id=CVE-2024-22256
07 Mar 2024 — VMware Cloud Director contains a partial information disclosure vulnerability. A malicious actor can potentially gather information about organization names based on the behavior of the instance. VMware Cloud Director contiene una vulnerabilidad de divulgación parcial de información. Un actor malintencionado puede potencialmente recopilar información sobre los nombres de las organizaciones en función del comportamiento de la instancia. VMware Cloud Director contains a partial information disclosure vulnerab... • https://www.vmware.com/security/advisories/VMSA-2024-0007.html •
CVSS: 7.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-22254 – Out-of-bounds write vulnerability
https://notcve.org/view.php?id=CVE-2024-22254
05 Mar 2024 — VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox. VMware ESXi contiene una vulnerabilidad de escritura fuera de los límites. Un actor malicioso con privilegios dentro del proceso VMX puede desencadenar una escritura fuera de los límites que conduzca a un escape del entorno limitado. VMware ESXi contains an out-of-bounds write vulnerability. • https://www.vmware.com/security/advisories/VMSA-2024-0006.html • CWE-787: Out-of-bounds Write •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-22253 – Use-after-free vulnerability
https://notcve.org/view.php?id=CVE-2024-22253
05 Mar 2024 — VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the UHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. VMware ESXi, Workstation y Fusion contienen una ... • https://www.vmware.com/security/advisories/VMSA-2024-0006.html • CWE-416: Use After Free •
CVSS: 9.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22252 – Use-after-free vulnerability
https://notcve.org/view.php?id=CVE-2024-22252
05 Mar 2024 — VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. VMware ESXi, Workstation y Fusion contienen una ... • https://www.vmware.com/security/advisories/VMSA-2024-0006.html • CWE-416: Use After Free •
CVSS: 9.4EPSS: 48%CPEs: 3EXPL: 3CVE-2024-22243 – CVE-2024-22243: Spring Framework URL Parsing with Host Validation
https://notcve.org/view.php?id=CVE-2024-22243
23 Feb 2024 — Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. Las aplicaciones que utilizan UriComponentsBuilder para analizar una URL proporcionada externamente (por ejemplo, a través de un parámetro de consulta) Y realizan comprobacione... • https://github.com/SeanPesce/CVE-2024-22243 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-22235
https://notcve.org/view.php?id=CVE-2024-22235
21 Feb 2024 — VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'. VMware Aria Operations contiene una vulnerabilidad de escalada de privilegios local. Un actor malicioso con acceso administrativo al sistema local puede escalar privilegios a "root". VMware Aria Operations contains a local privilege escalation vulnerability. • https://www.vmware.com/security/advisories/VMSA-2024-0004.html • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22250 – Session Hijack Vulnerability in Deprecated EAP Browser Plugin
https://notcve.org/view.php?id=CVE-2024-22250
20 Feb 2024 — Session Hijack vulnerability in Deprecated VMware Enhanced Authentication Plug-in could allow a malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system. La vulnerabilidad de secuestro de sesión en el obsoleto complemento de autenticación mejorada de VMware podría permitir que un actor malicioso con acceso local sin privilegios a un sistema operativo Windows pueda secuestrar una sesión EAP p... • https://www.vmware.com/security/advisories/VMSA-2024-0003.html • CWE-384: Session Fixation •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22245 – Arbitrary Authentication Relay Vulnerability in Deprecated EAP Browser Plugin
https://notcve.org/view.php?id=CVE-2024-22245
20 Feb 2024 — Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). Las vulnerabilidades de retransmisión de autenticación arbitraria y secuestro de sesión en el obsoleto complemento de autenticación mejorada (EAP) de VMware podrían pe... • https://www.vmware.com/security/advisories/VMSA-2024-0003.html • CWE-287: Improper Authentication •