CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38815
https://notcve.org/view.php?id=CVE-2024-38815
09 Oct 2024 — VMware NSX contains a content spoofing vulnerability. An unauthenticated malicious actor may be able to craft a URL and redirect a victim to an attacker controlled domain leading to sensitive information disclosure. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25047 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38818
https://notcve.org/view.php?id=CVE-2024-38818
09 Oct 2024 — VMware NSX contains a local privilege escalation vulnerability. An authenticated malicious actor may exploit this vulnerability to obtain permissions from a separate group role than previously assigned. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25047 • CWE-269: Improper Privilege Management •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38817
https://notcve.org/view.php?id=CVE-2024-38817
09 Oct 2024 — Mware NSX contains a command injection vulnerability. A malicious actor with access to the NSX Edge CLI terminal may be able to craft malicious payloads to execute arbitrary commands on the operating system as root. VMware NSX contains a command injection vulnerability. A malicious actor with access to the NSX Edge CLI terminal may be able to craft malicious payloads to execute arbitrary commands on the operating system as root. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25047 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 38%CPEs: 3EXPL: 0CVE-2024-38813 – VMware vCenter Server Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-38813
17 Sep 2024 — The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet. The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet. VMware vCenter contains an improper check for drop... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968 • CWE-250: Execution with Unnecessary Privileges CWE-273: Improper Check for Dropped Privileges •
CVSS: 10.0EPSS: 85%CPEs: 3EXPL: 2CVE-2024-38812 – VMware vCenter Server Heap-Based Buffer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2024-38812
17 Sep 2024 — The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network... • https://github.com/maybeheisenberg/CVE-2024-38812 • CWE-122: Heap-based Buffer Overflow •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-22280 – VMSA-2024-0017: VMware Aria Automation updates address SQL-injection vulnerability (CVE-2024-22280)
https://notcve.org/view.php?id=CVE-2024-22280
11 Jul 2024 — VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database. VMware Aria Automation no aplica la validación de entrada correcta que permite la inyección de SQL en el producto. Un usuario malintencionado autenticado podría ingresar consultas SQL especialmente manipuladas y realizar operaciones de lectura/escritura no autoriz... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24598 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 76%CPEs: 2EXPL: 3CVE-2024-37085 – VMware ESXi Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-37085
25 Jun 2024 — VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active... • https://github.com/mahmutaymahmutay/CVE-2024-37085 • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 7.8EPSS: 9%CPEs: 2EXPL: 6CVE-2024-37081 – VMware vCenter Sudo Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-37081
18 Jun 2024 — The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. vCenter Server contiene múltiples vulnerabilidades de escalada de privilegios locales debido a una mala configuración de sudo. Un usuario local autenticado con privilegios no administrativos puede aprovechar estos problemas para elevar los privilegios ... • https://packetstorm.news/files/id/182981 • CWE-556: ASP.NET Misconfiguration: Use of Identity Impersonation •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 0CVE-2024-37080
https://notcve.org/view.php?id=CVE-2024-37080
18 Jun 2024 — vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. vCenter Server contiene una vulnerabilidad de desbordamiento de montón en la implementación del protocolo DCERPC. Un actor malintencionado con acceso a la red de vCenter Server puede desencadenar esta vulnerabilidad al enviar un paqu... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453 • CWE-122: Heap-based Buffer Overflow •
CVSS: 10.0EPSS: 24%CPEs: 3EXPL: 0CVE-2024-37079
https://notcve.org/view.php?id=CVE-2024-37079
18 Jun 2024 — vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. vCenter Server contiene una vulnerabilidad de desbordamiento de montón en la implementación del protocolo DCERPC. Un actor malintencionado con acceso a la red de vCenter Server puede desencadenar esta vulnerabilidad al enviar un paqu... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453 • CWE-787: Out-of-bounds Write •