CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Vmware : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-7463 79 XSS 2016-12-29 2016-12-30
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Host Client in VMware vSphere Hypervisor (aka ESXi) 5.5 and 6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted VM.
2 CVE-2016-7462 749 2016-12-29 2016-12-30
7.5
None Remote Low Single system None Partial Complete
The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization.
3 CVE-2016-7461 119 DoS Exec Code Overflow 2016-12-29 2017-01-03
7.2
None Local Low Not required Complete Complete Complete
The drag-and-drop (aka DnD) function in VMware Workstation Pro 12.x before 12.5.2 and VMware Workstation Player 12.x before 12.5.2 and VMware Fusion and Fusion Pro 8.x before 8.5.2 allows guest OS users to execute arbitrary code on the host OS or cause a denial of service (out-of-bounds memory access on the host OS) via unspecified vectors.
4 CVE-2016-7460 611 DoS 2016-12-29 2017-01-03
6.4
None Remote Low Not required Partial None Partial
The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
5 CVE-2016-7459 611 2016-12-29 2017-01-03
4.0
None Remote Low Single system Partial None None
VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
6 CVE-2016-7458 611 2016-12-29 2017-01-03
5.0
None Remote Low Not required Partial None None
VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
7 CVE-2016-7457 264 +Priv 2016-12-29 2017-01-03
8.0
None Remote Low Single system Partial Partial Complete
VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt and remove virtual machines, via unspecified vectors.
8 CVE-2016-7456 255 2016-12-29 2017-01-03
10.0
None Remote Low Not required Complete Complete Complete
VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session.
9 CVE-2016-7087 22 Dir. Trav. +Info 2016-12-29 2017-01-03
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the Connection Server in VMware Horizon View 5.x before 5.3.7, 6.x before 6.2.3, and 7.x before 7.0.1 allows remote attackers to obtain sensitive information via unspecified vectors.
10 CVE-2016-7086 264 +Priv 2016-12-29 2017-01-03
7.2
None Local Low Not required Complete Complete Complete
The installer in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows allows local users to gain privileges via a Trojan horse setup64.exe file in the installation directory.
11 CVE-2016-7085 426 +Priv 2016-12-29 2017-01-03
7.2
None Local Low Not required Complete Complete Complete
Untrusted search path vulnerability in the installer in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.
12 CVE-2016-7084 119 DoS Exec Code Overflow Mem. Corr. 2016-12-29 2017-01-03
6.9
None Local Medium Not required Complete Complete Complete
tpview.dll in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allows guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via a JPEG 2000 image.
13 CVE-2016-7083 119 DoS Exec Code Overflow Mem. Corr. 2016-12-29 2017-01-03
5.9
None Local Medium Not required Partial Partial Complete
VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via TrueType fonts embedded in EMFSPOOL.
14 CVE-2016-7082 119 DoS Exec Code Overflow Mem. Corr. 2016-12-29 2017-01-03
5.9
None Local Medium Not required Partial Partial Complete
VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS or cause a denial of service (host OS memory corruption) via an EMF file.
15 CVE-2016-7081 119 Exec Code Overflow 2016-12-29 2017-01-03
6.9
None Local Medium Not required Complete Complete Complete
Multiple heap-based buffer overflows in VMware Workstation Pro 12.x before 12.5.0 and VMware Workstation Player 12.x before 12.5.0 on Windows, when Cortado ThinPrint virtual printing is enabled, allow guest OS users to execute arbitrary code on the host OS via unspecified vectors.
16 CVE-2016-7080 476 DoS +Priv 2016-12-29 2017-01-03
4.6
None Local Low Not required Partial Partial Partial
The graphic acceleration functions in VMware Tools 9.x and 10.x before 10.0.9 on OS X allow local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors, a different vulnerability than CVE-2016-7079.
17 CVE-2016-7079 476 DoS +Priv 2016-12-29 2017-01-03
4.6
None Local Low Not required Partial Partial Partial
The graphic acceleration functions in VMware Tools 9.x and 10.x before 10.0.9 on OS X allow local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors, a different vulnerability than CVE-2016-7080.
18 CVE-2016-5336 Exec Code 2016-08-30 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
VMware vRealize Automation 7.0.x before 7.1 allows remote attackers to execute arbitrary code via unspecified vectors.
19 CVE-2016-5335 2016-08-30 2016-11-28
7.2
Admin Local Low Not required Complete Complete Complete
VMware Identity Manager 2.x before 2.7 and vRealize Automation 7.0.x before 7.1 allow local users to obtain root access via unspecified vectors.
20 CVE-2016-5334 284 2016-12-29 2017-01-03
5.0
None Remote Low Not required Partial None None
VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors.
21 CVE-2016-5333 798 2016-08-30 2016-11-28
9.3
Admin Remote Medium Not required Complete Complete Complete
VMware Photos OS OVA 1.0 before 2016-08-14 has a default SSH public key in an authorized_keys file, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.
22 CVE-2016-5332 22 Dir. Trav. 2016-08-30 2016-11-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in VMware vRealize Log Insight 2.x and 3.x before 3.6.0 allows remote attackers to read arbitrary files via unspecified vectors.
23 CVE-2016-5331 93 Http R.Spl. 2016-08-07 2016-11-28
4.3
None Remote Medium Not required None Partial None
CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
24 CVE-2016-5330 426 +Priv 2016-08-07 2016-12-23
4.4
None Local Medium Not required Partial Partial Partial
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion 8.1.x before 8.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory.
25 CVE-2016-5329 200 Bypass +Info 2016-12-29 2017-01-03
2.1
None Local Low Not required Partial None None
VMware Fusion 8.x before 8.5 on OS X, when System Integrity Protection (SIP) is enabled, allows local users to determine kernel memory addresses and bypass the kASLR protection mechanism via unspecified vectors.
26 CVE-2016-5328 254 Bypass 2016-12-29 2017-01-03
2.1
None Local Low Not required Partial None None
VMware Tools 9.x and 10.x before 10.1.0 on OS X, when System Integrity Protection (SIP) is enabled, allows local users to determine kernel memory addresses and bypass the kASLR protection mechanism via unspecified vectors.
27 CVE-2016-2082 352 CSRF 2016-07-02 2016-07-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in VMware vRealize Log Insight 2.x and 3.x before 3.3.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
28 CVE-2016-2081 79 XSS 2016-07-02 2016-07-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in VMware vRealize Log Insight 2.x and 3.x before 3.3.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
29 CVE-2016-2079 200 +Info 2016-07-02 2016-07-08
4.3
None Remote Medium Not required Partial None None
VMware NSX Edge 6.1 before 6.1.7 and 6.2 before 6.2.3 and vCNS Edge 5.5 before 5.5.4.3, when the SSL-VPN feature is configured, allow remote attackers to obtain sensitive information via unspecified vectors.
30 CVE-2016-2078 79 XSS 2016-06-08 2016-06-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Web Client in VMware vCenter Server 5.1 before update 3d, 5.5 before update 3d, and 6.0 before update 2 on Windows allows remote attackers to inject arbitrary web script or HTML via the flashvars parameter.
31 CVE-2016-2077 264 +Priv 2016-05-18 2016-11-30
10.0
None Remote Low Not required Complete Complete Complete
VMware Workstation 11.x before 11.1.3 and VMware Player 7.x before 7.1.3 on Windows incorrectly access an executable file, which allows host OS users to gain host OS privileges via unspecified vectors.
32 CVE-2016-2076 287 2016-04-15 2016-08-03
6.8
None Remote Medium Not required Partial Partial Partial
Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c and 6.0 before U2; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4 before 6.2.4.1 mishandles session content, which allows remote attackers to hijack sessions via a crafted web site.
33 CVE-2016-2075 79 XSS 2016-03-16 2016-12-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in VMware vRealize Business Advanced and Enterprise 8.x before 8.2.5 on Linux allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
34 CVE-2015-6934 20 Exec Code 2015-12-20 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
35 CVE-2015-6933 284 DoS +Priv Mem. Corr. 2016-01-08 2016-12-07
6.5
None Remote Low Single system Partial Partial Partial
The VMware Tools HGFS (aka Shared Folders) implementation in VMware Workstation 11.x before 11.1.2, VMware Player 7.x before 7.1.2, VMware Fusion 7.x before 7.1.2, and VMware ESXi 5.0 through 6.0 allows Windows guest OS users to gain guest OS privileges or cause a denial of service (guest OS kernel memory corruption) via unspecified vectors.
36 CVE-2015-6932 310 +Info 2015-09-18 2016-12-21
5.8
None Remote Medium Not required Partial Partial None
VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify X.509 certificates from TLS LDAP servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
37 CVE-2015-6931 79 XSS 2016-07-02 2016-07-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the vSphere Web Client in VMware vCenter Server 5.0 before U3g, 5.1 before U3d, and 5.5 before U2d allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
38 CVE-2015-3650 284 +Priv 2015-07-10 2016-12-27
7.2
None Local Low Not required Complete Complete Complete
vmware-vmx.exe in VMware Workstation 7.x through 10.x before 10.0.7 and 11.x before 11.1.1, VMware Player 5.x and 6.x before 6.0.7 and 7.x before 7.1.1, and VMware Horizon Client 5.x local-mode before 5.4.2 on Windows does not provide a valid DACL pointer during the setup of the vprintproxy.exe process, which allows host OS users to gain host OS privileges by injecting a thread.
39 CVE-2015-2344 79 XSS 2016-03-16 2016-12-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in VMware vRealize Automation 6.x before 6.2.4 on Linux allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
40 CVE-2015-2342 Exec Code 2015-10-12 2016-12-07
10.0
None Remote Low Not required Complete Complete Complete
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.
41 CVE-2015-2341 20 DoS 2015-06-13 2016-12-30
7.8
None Remote Low Not required None None Complete
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.6, and VMware Fusion 6.x before 6.0.6 and 7.x before 7.0.1 allow attackers to cause a denial of service against a 32-bit guest OS or 64-bit host OS via a crafted RPC command.
42 CVE-2015-2340 399 DoS 2015-06-13 2016-12-30
6.1
None Local Network Low Not required None None Complete
TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors.
43 CVE-2015-2339 399 DoS 2015-06-13 2016-12-30
6.1
None Local Network Low Not required None None Complete
TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors, a different vulnerability than CVE-2015-2338.
44 CVE-2015-2338 399 DoS 2015-06-13 2016-12-30
6.1
None Local Network Low Not required None None Complete
TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors, a different vulnerability than CVE-2015-2339.
45 CVE-2015-2337 399 Exec Code 2015-06-13 2016-12-30
5.8
None Local Network Low Not required Partial Partial Partial
TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to execute arbitrary code on the host OS via unspecified vectors.
46 CVE-2015-2336 399 Exec Code 2015-06-13 2016-12-30
5.8
None Local Network Low Not required Partial Partial Partial
TPView.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to execute arbitrary code on the host OS via unspecified vectors, a different vulnerability than CVE-2012-0897.
47 CVE-2015-1047 20 DoS 2015-10-12 2016-12-07
5.0
None Remote Low Not required None None Partial
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.
48 CVE-2015-1044 DoS 2015-01-29 2016-09-06
3.3
None Local Network Low Not required None None Partial
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.
49 CVE-2015-1043 20 DoS 2015-01-29 2016-09-06
3.3
None Local Network Low Not required None None Partial
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.
50 CVE-2014-8373 264 +Priv 2014-12-11 2014-12-12
9.0
Admin Remote Low Single system Complete Complete Complete
The VMware Remote Console (VMRC) function in VMware vCloud Automation Center (vCAC) 6.0.1 through 6.1.1 allows remote authenticated users to gain privileges via vectors involving the "Connect (by) Using VMRC" function.
Total number of vulnerabilities : 264   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.