CVE-2013-3520
VMware vCenter Chargeback Manager ImageUploadServlet Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via unspecified vectors.
VMware vCenter Chargeback Manager (aka CBM) anterior a 2.5.1 no maneja adecuadamente las subidas, lo que permite a atacantes remotos ejecutar código arbitrario a través de vectores no especificados.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of VMware vCenter Chargeback Manager. Authentication is not required to exploit this vulnerability.
The specific flaw exists in the handling of requests to the ImageUploadServlet. This service exposes the functionality which contains a flaw that allows attackers to create files at arbitrary locations with attacker controlled data. This can be leveraged by an attacker gain to remote code execution under the context of SYSTEM.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-05-08 CVE Reserved
- 2013-06-17 CVE Published
- 2013-07-23 First Exploit
- 2024-09-16 CVE Updated
- 2024-11-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/27046 | 2013-07-23 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.vmware.com/security/advisories/VMSA-2013-0008.html | 2013-06-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Vcenter Chargeback Manager Search vendor "Vmware" for product "Vcenter Chargeback Manager" | <= 2.5.0 Search vendor "Vmware" for product "Vcenter Chargeback Manager" and version " <= 2.5.0" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Chargeback Manager Search vendor "Vmware" for product "Vcenter Chargeback Manager" | 1.5.0 Search vendor "Vmware" for product "Vcenter Chargeback Manager" and version "1.5.0" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Chargeback Manager Search vendor "Vmware" for product "Vcenter Chargeback Manager" | 1.6.0 Search vendor "Vmware" for product "Vcenter Chargeback Manager" and version "1.6.0" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Chargeback Manager Search vendor "Vmware" for product "Vcenter Chargeback Manager" | 1.6.1 Search vendor "Vmware" for product "Vcenter Chargeback Manager" and version "1.6.1" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Chargeback Manager Search vendor "Vmware" for product "Vcenter Chargeback Manager" | 1.6.2 Search vendor "Vmware" for product "Vcenter Chargeback Manager" and version "1.6.2" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Chargeback Manager Search vendor "Vmware" for product "Vcenter Chargeback Manager" | 2.0.0 Search vendor "Vmware" for product "Vcenter Chargeback Manager" and version "2.0.0" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Chargeback Manager Search vendor "Vmware" for product "Vcenter Chargeback Manager" | 2.0.1 Search vendor "Vmware" for product "Vcenter Chargeback Manager" and version "2.0.1" | - |
Affected
| ||||||