CVE-2008-4278
https://notcve.org/view.php?id=CVE-2008-4278
VMware VirtualCenter 2.5 before Update 3 build 119838 on Windows displays a user's password in cleartext when the password contains unspecified special characters, which allows physically proximate attackers to steal the password. VMware VirtualCenter 2.5 antes de la actualización 3 build 119838 sobre Windows muestra la contraseña de un usuario en texto sin formato cuando la contraseña contiene caracteres especiales no especificados, lo cual permite robar la contraseña a atacantes físicamente próximos. • http://marc.info/?l=bugtraq&m=122331139823057&w=2 http://secunia.com/advisories/32179 http://secunia.com/advisories/32180 http://www.securityfocus.com/archive/1/497041/100/0/threaded http://www.securityfocus.com/bid/31569 http://www.securitytracker.com/id?1020992 http://www.vmware.com/security/advisories/VMSA-2008-0016.html http://www.vupen.com/english/advisories/2008/2740 https://exchange.xforce.ibmcloud.com/vulnerabilities/45664 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2008-3514
https://notcve.org/view.php?id=CVE-2008-3514
VMware VirtualCenter 2.5 before Update 2 and 2.0.2 before Update 5 relies on client-side "enabled/disabled functionality" for access control, which allows remote attackers to determine valid user names by enabling functionality in the GUI and then making an "attempt to assign permissions to other system users." VirtualCenter de VMware versión 2.5 anterior a Update 2 y versión 2.0.2 anterior a Update 5, se basa en la función "enabled/disabled functionality" para el control de acceso, lo que permite a los atacantes remotos determinar nombres de usuario comprobados mediante la habilitación de la funcionalidad en la GUI y luego haciendo un "attempt to assign permissions to other system users". • http://secunia.com/advisories/31468 http://securityreason.com/securityalert/4150 http://www.insomniasec.com/advisories/ISVA-080812.1.htm http://www.securityfocus.com/archive/1/495386/100/0/threaded http://www.securityfocus.com/bid/30664 http://www.securitytracker.com/id?1020693 http://www.vmware.com/security/advisories/VMSA-2008-0012.html http://www.vmware.com/support/vi3/doc/releasenotes_vc202u5.html http://www.vupen.com/english/advisories/2008/2363 https://exchange.xforce.ibmclou • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2006-5990
https://notcve.org/view.php?id=CVE-2006-5990
VMWare VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and 1.4.x before 1.4.1 Patch 1 (Build 33425), when server certificate verification is enabled, does not verify the server's X.509 certificate when creating an SSL session, which allows remote malicious servers to spoof valid servers via a man-in-the-middle attack. El cliente VMWare VirtualCenter 2.x anterior a 2.0.1 Patch 1 (Build 33463) y 1.4.x anterior a 1.4.1 Patch 1 (Build 33425), cuando la verificación de certificados de servidor está habilitada, no verifica el certificado X.509 del servidor cuando crea una sesión SSL, lo cual permite a servidores remotos maliciosos suplantar a servidores válidos mediante un ataque de "hombre en medio" (man-in-the-middle). • http://kb.vmware.com/kb/4646606 http://secunia.com/advisories/23053 http://securitytracker.com/id?1017270 http://www.securityfocus.com/archive/1/452275/100/0/threaded http://www.securityfocus.com/bid/21231 http://www.vmware.com/download/vi/vc-201-200611-patch.html http://www.vupen.com/english/advisories/2006/4655 https://exchange.xforce.ibmcloud.com/vulnerabilities/30477 • CWE-20: Improper Input Validation •