CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3946
https://notcve.org/view.php?id=CVE-2020-3946
InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to Billion laughs attack (denial-of-service). La herramienta InstallBuilder AutoUpdate y los instaladores regulares habilitando (checkForUpdates) compilados con versiones anteriores a la versión 19.11, son vulnerables a un ataque de tipo Billion laughs (denegación de servicio). • https://blog.installbuilder.com/2019/12/configure-autoupdate-project-settings.html • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3953
https://notcve.org/view.php?id=CVE-2020-3953
Cross Site Scripting (XSS) vulnerability exists in VMware vRealize Log Insight prior to 8.1.0 due to improper Input validation. Hay una vulnerabilidad de tipo Cross Site Scripting (XSS) en VMware vRealize Log Insight versiones anteriores a 8.1.0, debido a una comprobación de entrada inapropiada. • https://www.vmware.com/security/advisories/VMSA-2020-0007.html • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-3954
https://notcve.org/view.php?id=CVE-2020-3954
Open Redirect vulnerability exists in VMware vRealize Log Insight prior to 8.1.0 due to improper Input validation. Hay una vulnerabilidad de Redireccionamiento Abierto en VMware vRealize Log Insight versiones anteriores a 8.1.0, debido a una comprobación de entrada inapropiada. • https://www.vmware.com/security/advisories/VMSA-2020-0007.html • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-5406 – PCF Autoscaling logs its database credentials
https://notcve.org/view.php?id=CVE-2020-5406
VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.18, 2.7.x versions prior to 2.7.11, and 2.8.x versions prior to 2.8.5, includes a version of PCF Autoscaling that writes database connection properties to its log, including database username and password. A malicious user with access to those logs may gain unauthorized access to the database being used by Autoscaling. VMware Tanzu Application Service para Máquinas Virtuales, versiones 2.6.x anteriores a 2.6.18, versiones 2.7.x anteriores a 2.7.11 y versiones 2.8.x anteriores a 2.8.5, incluye una versión de PCF Autoscaling que escribe las propiedades de conexión de la base de datos en su registro, incluyendo el nombre de usuario y la contraseña de la base de datos. Un usuario malicioso con acceso a esos registros puede conseguir acceso no autorizado a la base de datos que está siendo usada por Autoscaling. • https://tanzu.vmware.com/security/cve-2020-5406 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 71%CPEs: 1EXPL: 5CVE-2020-3952 – VMware vCenter Server Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-3952
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. Bajo determinadas condiciones, vmdir que se entrega con VMware vCenter Server, como parte de un Platform Services Controller (PSC) incorporado o externo, no implementa correctamente los controles de acceso. VMware vCenter Server contains an information disclosure vulnerability in the VMware Directory Service (vmdir) when the Platform Services Controller (PSC) does not correctly implement access controls. Successful exploitation allows an attacker with network access to port 389 to extract sensitive information. • https://www.exploit-db.com/exploits/48535 https://github.com/bb33bb/CVE-2020-3952 https://github.com/commandermoon/CVE-2020-3952 https://github.com/gelim/CVE-2020-3952 http://packetstormsecurity.com/files/157896/VMware-vCenter-Server-6.7-Authentication-Bypass.html https://www.vmware.com/security/advisories/VMSA-2020-0006 https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952 https://www.vmware.com/security/advisories/VMSA-2020-0006.html https://github.com/HynekPetrak&# • CWE-306: Missing Authentication for Critical Function •