CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vmware : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-2384 399 DoS 2014-04-15 2014-04-16
4.9
None Local Low Not required None None Complete
vmx86.sys in VMware Workstation 10.0.1 build 1379776 and VMware Player 6.0.1 build 1379776 on Windows might allow local users to cause a denial of service (read access violation and system crash) via a crafted buffer in an IOCTL call. NOTE: the researcher reports "Vendor rated issue as non-exploitable."
2 CVE-2014-1207 DoS 2014-01-17 2014-01-30
4.3
None Remote Medium Not required None None Partial
VMware ESXi 4.0 through 5.1 and ESX 4.0 and 4.1 allow remote attackers to cause a denial of service (NULL pointer dereference) by intercepting and modifying Network File Copy (NFC) traffic.
3 CVE-2013-5973 264 2013-12-23 2014-01-07
4.4
None Local Medium Not required Partial Partial Partial
VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local users to read or modify arbitrary files by leveraging the Virtual Machine Power User or Resource Pool Administrator role for a vCenter Server Add Existing Disk action with a (1) -flat, (2) -rdm, or (3) -rdmp filename.
4 CVE-2013-3107 264 Bypass 2013-05-01 2013-05-01
4.3
None Remote Medium Not required None Partial None
VMware vCenter Server 5.1 before Update 1, when anonymous LDAP binding for Active Directory is enabled, allows remote attackers to bypass authentication by providing a valid username in conjunction with an empty password.
5 CVE-2013-1661 20 DoS 2013-09-03 2013-09-30
4.3
None Remote Medium Not required None None Partial
VMware ESXi 4.0 through 5.1, and ESX 4.0 and 4.1, does not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to cause a denial of service (unhandled exception and application crash) by modifying the client-server data stream.
6 CVE-2012-6325 200 +Info 2012-12-21 2013-01-08
4.0
None Remote Low Single system Partial None None
VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 does not properly parse XML documents, which allows remote authenticated users to read arbitrary files via unspecified vectors.
7 CVE-2012-6324 22 Dir. Trav. 2012-12-21 2012-12-24
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 and 5.1 before Patch 1 allows remote authenticated users to read arbitrary files via unspecified vectors.
8 CVE-2012-5050 79 XSS 2012-10-05 2013-02-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the server in VMware vCenter Operations (aka vCOps) before 5.0.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
9 CVE-2012-1513 200 +Info 2012-03-16 2012-11-06
4.0
None Remote Low Single system Partial None None
The Web Configuration tool in VMware vCenter Orchestrator (vCO) 4.0 before Update 4, 4.1 before Update 2, and 4.2 before Update 1 places the vCenter Server password in an HTML document, which allows remote authenticated administrators to obtain sensitive information by reading this document.
10 CVE-2012-1512 79 XSS 2012-03-16 2012-11-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the internal browser in vSphere Client in VMware vSphere 4.1 before Update 2 and 5.0 before Update 1 allows remote attackers to inject arbitrary web script or HTML via a crafted log-file entry.
11 CVE-2012-1511 79 XSS 2012-03-16 2013-11-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in View Manager Portal in VMware View before 4.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
12 CVE-2012-0903 79 1 XSS 2012-01-20 2012-01-23
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Desktop 7.1.2 b10978 allow remote attackers to inject arbitrary web script or HTML via the (1) Username or (2) MailBox Name.
13 CVE-2011-2732 94 Http R.Spl. 2012-12-05 2012-12-06
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.
14 CVE-2011-0426 22 Dir. Trav. 2011-05-09 2011-05-27
4.3
None Remote Medium Not required Partial None None
Directory traversal vulnerability in vCenter Server in VMware vCenter 4.0 before Update 3 and 4.1 before Update 1, and VMware VirtualCenter 2.5 before Update 6a, allows remote attackers to read arbitrary files via unspecified vectors.
15 CVE-2010-2427 264 +Priv 2010-07-22 2010-07-22
4.4
User Local Medium Not required Partial Partial Partial
VMware Studio 2.0 does not properly write to temporary files, which allows local users to gain privileges via unspecified vectors.
16 CVE-2010-1193 79 XSS 2010-04-01 2010-04-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in WebAccess in VMware Server 2.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON error messages.
17 CVE-2010-1143 79 XSS 2010-05-07 2013-11-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in VMware View (formerly Virtual Desktop Manager or VDM) 3.1.x before 3.1.3 build 252693 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
18 CVE-2010-1137 79 XSS 2010-04-01 2013-05-14
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in WebAccess in VMware VirtualCenter 2.0.2 and 2.5 and VMware ESX 3.0.3 and 3.5, and the Server Console in VMware Server 1.0, allows remote attackers to inject arbitrary web script or HTML via the name of a virtual machine.
19 CVE-2009-3731 79 XSS 2009-12-16 2010-08-21
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.
20 CVE-2009-2277 79 XSS 2010-04-01 2010-08-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in WebAccess in VMware VirtualCenter 2.0.2 and 2.5 and VMware ESX 3.0.3 and 3.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to "context data."
21 CVE-2009-1805 DoS 2009-06-01 2010-08-21
4.0
None Local High Not required None None Complete
Unspecified vulnerability in the VMware Descheduled Time Accounting driver in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745, VMware Fusion 2.x before 2.0.2 build 147997, VMware ESXi 3.5, and VMware ESX 3.0.2, 3.0.3, and 3.5, when the Descheduled Time Accounting Service is not running, allows guest OS users on Windows to cause a denial of service via unknown vectors.
22 CVE-2009-1146 DoS 2009-04-06 2010-08-21
4.9
None Local Low Not required None None Complete
Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 allows local users to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3761.
23 CVE-2008-4916 DoS 2009-04-06 2013-05-14
4.6
None Local Low Single system None None Complete
Unspecified vulnerability in a guest virtual device driver in VMware Workstation before 5.5.9 build 126128, and 6.5.1 and earlier 6.x versions; VMware Player before 1.0.9 build 126128, and 2.5.1 and earlier 2.x versions; VMware ACE before 1.0.8 build 125922, and 2.5.1 and earlier 2.x versions; VMware Server 1.x before 1.0.8 build 126538 and 2.0.x before 2.0.1 build 156745; VMware Fusion before 2.0.1; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to cause a denial of service (host OS crash) via unknown vectors.
24 CVE-2008-4914 DoS 2009-02-03 2010-08-21
4.7
None Local Medium Not required None None Complete
Unspecified vulnerability in VMware ESXi 3.5 before ESXe350-200901401-I-SG and ESX 3.5 before ESX350-200901401-SG allows local administrators to cause a denial of service (host crash) via a snapshot with a malformed VMDK delta disk.
25 CVE-2008-3761 20 1 DoS 2008-08-21 2009-04-23
4.9
None Local Low Not required None None Complete
hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 uses the METHOD_NEITHER communication method for IOCTLs, which allows local users to cause a denial of service via a crafted IOCTL request.
26 CVE-2007-5671 20 +Priv 2008-06-05 2013-05-14
4.4
User Local Medium Not required Partial Partial Partial
HGFS.sys in the VMware Tools package in VMware Workstation 5.x before 5.5.6 build 80404, VMware Player before 1.0.6 build 80404, VMware ACE before 1.0.5 build 79846, VMware Server before 1.0.5 build 80187, and VMware ESX 2.5.4 through 3.0.2 does not properly validate arguments in user-mode METHOD_NEITHER IOCTLs to the \\.\hgfs device, which allows guest OS users to modify arbitrary memory locations in guest kernel memory and gain privileges.
27 CVE-2006-6410 Exec Code Overflow 2006-12-09 2008-09-05
4.6
None Local Low Not required Partial Partial Partial
Buffer overflow in an ActiveX control in VMWare 5.5.1 allows local users to execute arbitrary code via a long VmdbDb parameter to the Initialize function.
28 CVE-2006-5990 20 2006-11-20 2011-03-10
4.0
None Remote High Not required None Partial Partial
VMWare VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and 1.4.x before 1.4.1 Patch 1 (Build 33425), when server certificate verification is enabled, does not verify the server's X.509 certificate when creating an SSL session, which allows remote malicious servers to spoof valid servers via a man-in-the-middle attack.
29 CVE-2006-2662 +Priv 2006-06-02 2008-09-05
4.6
User Local Low Not required Partial Partial Partial
VMware Server before RC1 does not clear user credentials from memory after a console connection is made, which might allow local attackers to gain privileges.
30 CVE-2005-4773 DoS 2005-12-31 2008-09-10
4.9
None Local Low Not required None None Complete
The configuration of VMware ESX Server 2.x, 2.0.x, 2.1.x, and 2.5.x allows local users to cause a denial of service (shutdown) via the (1) halt, (2) poweroff, and (3) reboot scripts executed at the service console.
31 CVE-2005-4583 79 Exec Code XSS 2005-12-29 2011-03-28
4.3
None Remote Medium Not required None Partial None
Unspecified vulnerability in the Management Interface in VMware ESX Server 2.x up to 2.5.x before 24 December 2005 allows "remote code execution in the Web browser" via unspecified attack vectors, probably related to cross-site scripting (XSS).
32 CVE-2005-0444 Exec Code 2005-02-14 2008-09-05
4.6
User Local Low Not required Partial Partial Partial
VMware before 4.5.2.8848-r5 searches for gdk-pixbuf shared libraries using a path that includes the rrdharan world-writable temporary directory, which allows local users to execute arbitrary code.
33 CVE-2003-0739 2003-10-20 2008-09-10
4.6
User Local Low Not required Partial Partial Partial
VMware Workstation 4.0.1 for Linux, build 5289 and earlier, allows local users to delete arbitrary files via a symlink attack.
Total number of vulnerabilities : 33   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.