CVSS: 5.9EPSS: 0%CPEs: 29EXPL: 0CVE-2019-5538
https://notcve.org/view.php?id=CVE-2019-5538
28 Oct 2019 — Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over SCP. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations. Una v... • https://www.vmware.com/security/advisories/VMSA-2019-0018.html • CWE-295: Improper Certificate Validation •
CVSS: 5.9EPSS: 0%CPEs: 29EXPL: 0CVE-2019-5537
https://notcve.org/view.php?id=CVE-2019-5537
28 Oct 2019 — Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operat... • https://www.vmware.com/security/advisories/VMSA-2019-0018.html • CWE-295: Improper Certificate Validation •
CVSS: 5.8EPSS: 0%CPEs: 68EXPL: 0CVE-2019-5531 – VMware Security Advisory 2019-0013
https://notcve.org/view.php?id=CVE-2019-5531
18 Sep 2019 — VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or th... • http://www.vmware.com/security/advisories/VMSA-2019-0013.html • CWE-613: Insufficient Session Expiration •
CVSS: 7.7EPSS: 0%CPEs: 44EXPL: 0CVE-2019-5532 – VMware Security Advisory 2019-0013
https://notcve.org/view.php?id=CVE-2019-5532
18 Sep 2019 — VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). VMware vCenter Server (versión 6.7.x anterior ... • http://packetstormsecurity.com/files/154536/VMware-Security-Advisory-2019-0013.html • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.7EPSS: 0%CPEs: 44EXPL: 0CVE-2019-5534 – VMware Security Advisory 2019-0013
https://notcve.org/view.php?id=CVE-2019-5534
18 Sep 2019 — VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). VMware vCenter Server (versi... • http://packetstormsecurity.com/files/154536/VMware-Security-Advisory-2019-0013.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2017-4943
https://notcve.org/view.php?id=CVE-2017-4943
20 Dec 2017 — VMware vCenter Server Appliance (vCSA) (6.5 before 6.5 U1d) contains a local privilege escalation vulnerability via the 'showlog' plugin. Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS. VMware vCenter Server Appliance (vCSA) (6.5 anteriores a 6.5 U1d) contiene una vulnerabilidad de escalado de privilegios locales mediante el plugin showlog. La explotación exitosa de esta vulnerabilidad podría resultar en que un usuario poc... • http://www.securitytracker.com/id/1040026 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2017-4927
https://notcve.org/view.php?id=CVE-2017-4927
17 Nov 2017 — VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) does not correctly handle specially crafted LDAP network packets which may allow for remote denial of service. VMware vCenter Server (en versiones 6.5 anteriores a la 6.5 U1 y versiones 6.0 anteriores a la 6.0 U3c) no gestiona correctamente paquetes de red LDAP especialmente manipulados, lo que puede permitir que se provoque una denegación de servicio de forma remota. • http://www.securityfocus.com/bid/101786 • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 0CVE-2017-4928
https://notcve.org/view.php?id=CVE-2017-4928
17 Nov 2017 — The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure. vSphere Web Client basado en flash(en versiones 6.0 anteriores a la 6.0 U3c y versiones 5.5 anteriores a la 5.5 U3f), es decir, no el nuevo vSphere Client bas... • http://www.securityfocus.com/bid/101785 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-4926
https://notcve.org/view.php?id=CVE-2017-4926
15 Sep 2017 — VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page. VMware vCenter Server (en versiones 6.5 anteriores a la 6.5 U1) contiene una vulnerabilidad que podría permitir ataques de Cross-Site Scripting (XSS) persistente. Un atacante con privilegios de usuario VC puede inyectar códigos JavaScript maliciosos, que se ... • http://www.securityfocus.com/bid/100844 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-4921
https://notcve.org/view.php?id=CVE-2017-4921
01 Aug 2017 — VMware vCenter Server (6.5 prior to 6.5 U1) contains an insecure library loading issue that occurs due to the use of LD_LIBRARY_PATH variable in an unsafe manner. Successful exploitation of this issue may allow unprivileged host users to load a shared library that may lead to privilege escalation. VMware vCenter Server en su versión 6.5 anterior a la 6.5 U1 tiene un problema de carga insegura de librerías que ocurre porque se utiliza la variable LD_LIBRARY_PATH de una manera no segura. Si se explota con éxi... • http://www.securityfocus.com/bid/100006 •