CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-20855
https://notcve.org/view.php?id=CVE-2023-20855
21 Feb 2023 — VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges. • https://www.vmware.com/security/advisories/VMSA-2023-0005.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 93%CPEs: 61EXPL: 3CVE-2022-22972
https://notcve.org/view.php?id=CVE-2022-22972
20 May 2022 — VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. VMware Workspace ONE Access, Identity Manager y vRealize Automation contienen una vulnerabilidad de omisión de autenticación que afecta a usuarios del dominio local. Un actor malicioso con acceso de red a la interfaz de usuario puede obten... • https://github.com/horizon3ai/CVE-2022-22972 •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22955
https://notcve.org/view.php?id=CVE-2022-22955
13 Apr 2022 — VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. VMware Workspace ONE Access presenta dos vulnerabilidades de omisión de autenticación (CVE-2022-22955 y CVE-2022-22956) en el marco OAuth2 ACS. Un actor malicioso puede omitir el mecanismo de autenticación y ejecutar cualquier operac... • https://www.vmware.com/security/advisories/VMSA-2022-0011.html •
CVSS: 7.2EPSS: 0%CPEs: 13EXPL: 0CVE-2022-22958
https://notcve.org/view.php?id=CVE-2022-22958
13 Apr 2022 — VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution. VMware Workspace ONE Access, Identity Manager y vRealize Automation contienen dos vulnerabilidades de ejecución de código remota (CVE-2022-22957 y CVE-2022-22958). Un actor malicioso con acceso ad... • https://www.vmware.com/security/advisories/VMSA-2022-0011.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.3EPSS: 0%CPEs: 13EXPL: 0CVE-2022-22961
https://notcve.org/view.php?id=CVE-2022-22961
13 Apr 2022 — VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. A malicious actor with remote access may leak the hostname of the target system. Successful exploitation of this issue can lead to targeting victims. VMware Workspace ONE Access, Identity Manager y vRealize Automation contienen una vulnerabilidad de divulgación de información debido a una devolución de información excesiva. Un actor malicioso con acceso r... • https://www.vmware.com/security/advisories/VMSA-2022-0011.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2022-22959
https://notcve.org/view.php?id=CVE-2022-22959
13 Apr 2022 — VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. A malicious actor can trick a user through a cross site request forgery to unintentionally validate a malicious JDBC URI. VMware Workspace ONE Access, Identity Manager y vRealize Automation contienen una vulnerabilidad de tipo cross site request forgery. Un actor malicioso puede engañar a un usuario mediante un ataque de tipo cross site request forgery para que compruebe involuntariament... • https://www.vmware.com/security/advisories/VMSA-2022-0011.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 62%CPEs: 11EXPL: 1CVE-2022-22956 – VMware Workspace ONE Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-22956
13 Apr 2022 — VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. VMware Workspace ONE Access presenta dos vulnerabilidades de omisión de autenticación (CVE-2022-22955 y CVE-2022-22956) en el marco de OAuth2 ACS. Un actor malicioso puede omitir el mecanismo de autenticación y ejecutar cualquier ope... • https://packetstorm.news/files/id/171918 • CWE-287: Improper Authentication •
CVSS: 7.2EPSS: 47%CPEs: 13EXPL: 1CVE-2022-22957 – VMware Workspace ONE Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-22957
13 Apr 2022 — VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution. VMware Workspace ONE Access, Identity Manager y vRealize Automation contienen dos vulnerabilidades de ejecución de código remota (CVE-2022-22957 y CVE-2022-22958). Un actor malicioso con acceso ad... • https://packetstorm.news/files/id/171918 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 79%CPEs: 13EXPL: 5CVE-2022-22960 – VMware Multiple Products Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-22960
13 Apr 2022 — VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to 'root'. VMware Workspace ONE Access, Identity Manager y vRealize Automation contienen una vulnerabilidad de escalada de privilegios debido a permisos inapropiados en scripts de soporte. Un actor malicioso con acceso local puede escalar los privilegios a "root" VMware Workspace ONE Acce... • https://packetstorm.news/files/id/171935 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 94%CPEs: 13EXPL: 28CVE-2022-22954 – VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-22954
11 Apr 2022 — VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. VMware Workspace ONE Access y Identity Manager contienen una vulnerabilidad de ejecución de código remota debido a una inyección de plantillas del lado del servidor. Un actor malicioso con acceso a la red puede desencadenar una inyección de plantillas d... • https://packetstorm.news/files/id/166935 • CWE-94: Improper Control of Generation of Code ('Code Injection') •