The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of vCenter Server

computer vulnerability alert CVE-2017-4926

VMware vCenter Server: Cross Site Scripting via H5 Client

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via H5 Client of VMware vCenter Server, in order to run JavaScript code in the context of the web site.
Impacted products: vCenter Server.
Severity: 2/4.
Creation date: 15/09/2017.
Identifiers: CERTFR-2017-AVI-304, CVE-2017-4926, VIGILANCE-VUL-23846, VMSA-2017-0015.

Description of the vulnerability

The VMware vCenter Server product offers a web service.

However, it does not filter received data via H5 Client before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via H5 Client of VMware vCenter Server, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-4921 CVE-2017-4922 CVE-2017-4923

VMware vCenter Server: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of VMware vCenter Server.
Impacted products: vCenter Server.
Severity: 2/4.
Creation date: 28/07/2017.
Identifiers: CERTFR-2017-AVI-239, CVE-2017-4921, CVE-2017-4922, CVE-2017-4923, VIGILANCE-VUL-23385, VMSA-2017-0013.

Description of the vulnerability

Several vulnerabilities were announced in VMware vCenter Server.

An attacker can use a vulnerability via LD_LIBRARY_PATH, in order to run code. [severity:2/4; CVE-2017-4921]

An attacker can bypass security features via Service Startup Script, in order to obtain sensitive information. [severity:2/4; CVE-2017-4922]

An attacker can bypass security features via vCenter Server Appliance Backup, in order to obtain sensitive information. [severity:2/4; CVE-2017-4923]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2017-5641

VMware vCenter: code execution via AMF3 messages

Synthesis of the vulnerability

An attacker can send a Java object in an AMF3 message to VMware vCenter, in order to run code.
Impacted products: vCenter Server.
Severity: 3/4.
Creation date: 14/04/2017.
Identifiers: CERTFR-2017-AVI-115, CVE-2017-5641, VIGILANCE-VUL-22459, VMSA-2017-0007.

Description of the vulnerability

The VMware vCenter product includes BlazeDS.

This ocmponent process AFM3 messages. However, an attacker can submit an AFM3 message including a serialized Java object in such a way the the code of associated classes is run.

An attacker can therefore send a Java object in an AMF3 message to VMware vCenter, in order to run code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2016-7458 CVE-2016-7459 CVE-2016-7460

VMware vCenter Server, VMware vSphere Client: three vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in VMware vCenter Server and VMware vSphere Client.
Impacted products: vCenter Server, VMware vSphere.
Severity: 2/4.
Creation date: 23/11/2016.
Identifiers: CERTFR-2016-AVI-388, CVE-2016-7458, CVE-2016-7459, CVE-2016-7460, VIGILANCE-VUL-21194, VMSA-2016-0022.

Description of the vulnerability

Several vulnerabilities were announced in VMware vCenter Server and VMware vSphere Client.

An attacker can transmit malicious XML data via VMware vSphere Client, in order to read a file, scan sites, or trigger a denial of service. [severity:2/4; CVE-2016-7458]

An attacker can transmit malicious XML data via VMware vCenter Server, in order to read a file, scan sites, or trigger a denial of service. [severity:2/4; CVE-2016-7459]

An attacker can transmit malicious XML data via VMware vCenter Server, in order to read a file, scan sites, or trigger a denial of service. [severity:2/4; CVE-2016-7460]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2016-5330 CVE-2016-5331

VMware: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of VMware.
Impacted products: ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation.
Severity: 2/4.
Creation date: 05/08/2016.
Revisions dates: 09/08/2016, 20/09/2016.
Identifiers: CERTFR-2016-AVI-265, CVE-2016-5330, CVE-2016-5331, SFY20151201, SYSS-2016-063, VIGILANCE-VUL-20326, VMSA-2016-0010.

Description of the vulnerability

Several vulnerabilities were announced in VMware.

An attacker can use a malicious vmhgfs.dll DLL via the VMware Tools "Shared Folders" feature (component VMware Host Guest Client Redirector), in order to run code. [severity:2/4; CVE-2016-5330, SFY20151201]

An attacker can inject an HTTP header, in order to trigger a Cross Site Scripting or a redirection. [severity:2/4; CVE-2016-5331, SYSS-2016-063]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2015-6931

VMware vCenter Server: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of VMware vCenter Server, in order to run JavaScript code in the context of the web site.
Impacted products: vCenter Server, VMware vSphere.
Severity: 2/4.
Creation date: 15/06/2016.
Identifiers: CERTFR-2016-AVI-202, CVE-2015-6931, VIGILANCE-VUL-19904, VMSA-2016-0009.

Description of the vulnerability

The VMware vCenter Server product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of VMware vCenter Server, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2016-2078

VMware vCenter Server: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of VMware vCenter Server, in order to run JavaScript code in the context of the web site.
Impacted products: vCenter Server, VMware vSphere.
Severity: 2/4.
Creation date: 25/05/2016.
Identifiers: CERTFR-2016-AVI-179, CVE-2016-2078, VIGILANCE-VUL-19695, VMSA-2016-0006.

Description of the vulnerability

The VMware vCenter Server product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of VMware vCenter Server, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2016-3427

VMware vCenter: code execution via JMX Deserialization

Synthesis of the vulnerability

An attacker can send authentication data containing a malicious object, which is unserialized by JMX on VMware vCenter, in order to run code.
Impacted products: vCenter Server, VMware vSphere.
Severity: 3/4.
Creation date: 17/05/2016.
Identifiers: CERTFR-2016-AVI-175, CVE-2016-3427, VIGILANCE-VUL-19619, VMSA-2016-0005, VMSA-2016-0005.1, VMSA-2016-0005.2, VMSA-2016-0005.3, VMSA-2016-0005.4.

Description of the vulnerability

The VMware vCenter product uses Oracle JRE JMX to process authentication credentials.

However, other classes are also unserialized by JMX.

An attacker can therefore send authentication data containing a malicious object, which is unserialized by JMX on VMware vCenter, in order to run code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2016-2076

VMware vCenter Server: Man-in-the-Middle of Client Integration Plugin

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle of Client Integration Plugin on VMware vCenter Server, in order to read or write data in the session.
Impacted products: vCenter Server, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 15/04/2016.
Identifiers: CERTFR-2016-AVI-130, CVE-2016-2076, VIGILANCE-VUL-19388, VMSA-2016-0004.

Description of the vulnerability

The VMware vCenter Server product uses the TLS protocol, in order to create secure sessions with the Client Integration Plugin.

However, the X.509 certificate and the service identity are not correctly checked.

An attacker can therefore act as a Man-in-the-Middle of Client Integration Plugin on VMware vCenter Server, in order to read or write data in the session.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2015-5255

Apache Flex BlazeDS: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Apache Flex BlazeDS, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Adobe LiveCycle, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 2/4.
Creation date: 21/12/2015.
Identifiers: APSB15-30, CVE-2015-5255, VIGILANCE-VUL-18568, VMSA-2015-0008, VMSA-2015-0008.1.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Apache Flex BlazeDS parser allows external entities.

An attacker can therefore transmit malicious XML data to Apache Flex BlazeDS, in order to read a file, scan sites, or trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about vCenter Server: