Vulnerabilities (CVE)

Filtered by vendor Vmware Subscribe
Filtered by product Vcenter Server
Total 75 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21973 1 Vmware 2 Cloud Foundation, Vcenter Server 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
CVE-2021-21972 1 Vmware 2 Cloud Foundation, Vcenter Server 2024-11-21 10.0 HIGH 9.8 CRITICAL
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
CVE-2020-3994 1 Vmware 2 Cloud Foundation, Vcenter Server 2024-11-21 5.8 MEDIUM 7.4 HIGH
VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.
CVE-2020-3976 1 Vmware 3 Cloud Foundation, Esxi, Vcenter Server 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
CVE-2020-3952 1 Vmware 1 Vcenter Server 2024-11-21 6.8 MEDIUM 9.8 CRITICAL
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
CVE-2019-5538 1 Vmware 1 Vcenter Server 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over SCP. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations.
CVE-2019-5537 1 Vmware 1 Vcenter Server 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations.
CVE-2019-5534 1 Vmware 1 Vcenter Server 2024-11-21 4.0 MEDIUM 7.7 HIGH
VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).
CVE-2019-5532 1 Vmware 1 Vcenter Server 2024-11-21 4.0 MEDIUM 7.7 HIGH
VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).
CVE-2019-5531 1 Vmware 3 Esxi, Vcenter Server, Vsphere Esxi 2024-11-21 5.8 MEDIUM 5.4 MEDIUM
VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.
CVE-2017-4943 1 Vmware 1 Vcenter Server 2024-11-21 7.2 HIGH 7.8 HIGH
VMware vCenter Server Appliance (vCSA) (6.5 before 6.5 U1d) contains a local privilege escalation vulnerability via the 'showlog' plugin. Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS.
CVE-2017-4928 1 Vmware 1 Vcenter Server 2024-11-21 5.0 MEDIUM 7.5 HIGH
The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior to 5.5 U3f) i.e. not the new HTML5-based vSphere Client, contains SSRF and CRLF injection issues due to improper neutralization of URLs. An attacker may exploit these issues by sending a POST request with modified headers towards internal services leading to information disclosure.
CVE-2017-4927 1 Vmware 1 Vcenter Server 2024-11-21 5.0 MEDIUM 7.5 HIGH
VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) does not correctly handle specially crafted LDAP network packets which may allow for remote denial of service.
CVE-2017-4926 1 Vmware 1 Vcenter Server 2024-11-21 3.5 LOW 5.4 MEDIUM
VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which will get executed when other VC users access the page.
CVE-2017-4923 1 Vmware 1 Vcenter Server 2024-11-21 5.0 MEDIUM 9.8 CRITICAL
VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure vulnerability. This issue may allow plaintext credentials to be obtained when using the vCenter Server Appliance file-based backup feature.
CVE-2017-4922 1 Vmware 1 Vcenter Server 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure issue due to the service startup script using world writable directories as temporary storage for critical information. Successful exploitation of this issue may allow unprivileged host users to access certain critical information when the service gets restarted.
CVE-2017-4921 1 Vmware 1 Vcenter Server 2024-11-21 6.5 MEDIUM 8.8 HIGH
VMware vCenter Server (6.5 prior to 6.5 U1) contains an insecure library loading issue that occurs due to the use of LD_LIBRARY_PATH variable in an unsafe manner. Successful exploitation of this issue may allow unprivileged host users to load a shared library that may lead to privilege escalation.
CVE-2017-4919 1 Vmware 1 Vcenter Server 2024-11-21 6.8 MEDIUM 9.0 CRITICAL
VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate.
CVE-2016-7459 1 Vmware 1 Vcenter Server 2024-11-21 4.0 MEDIUM 7.7 HIGH
VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVE-2016-5331 1 Vmware 2 Esxi, Vcenter Server 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.