Vulnerabilities > Vmware > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-10-18 CVE-2024-38820 Unspecified vulnerability in VMWare Spring Framework
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.
network
low complexity
vmware
5.3
2024-07-04 CVE-2024-22277 Cross-site Scripting vulnerability in VMWare Cloud Director
VMware Cloud Director Availability contains an HTML injection vulnerability.
network
low complexity
vmware CWE-79
5.4
2024-03-07 CVE-2024-22256 Unspecified vulnerability in VMWare Cloud Director 10.4.0/10.5
VMware Cloud Director contains a partial information disclosure vulnerability. A malicious actor can potentially gather information about organization names based on the behavior of the instance.
network
low complexity
vmware
4.3
2024-02-06 CVE-2024-22238 Cross-site Scripting vulnerability in VMWare Aria Operations for Networks
Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges may be able to inject malicious code into user profile configurations due to improper input sanitization.
network
low complexity
vmware CWE-79
4.8
2024-02-06 CVE-2024-22240 Files or Directories Accessible to External Parties vulnerability in VMWare Aria Operations for Networks
Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information.
network
low complexity
vmware CWE-552
4.9
2024-02-06 CVE-2024-22241 Cross-site Scripting vulnerability in VMWare Aria Operations for Networks
Aria Operations for Networks contains a cross site scripting vulnerability. A malicious actor with admin privileges can inject a malicious payload into the login banner and takeover the user account.
network
low complexity
vmware CWE-79
4.8
2024-02-05 CVE-2023-34042 Incorrect Permission Assignment for Critical Resource vulnerability in VMWare Spring Security
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit.
local
low complexity
vmware CWE-732
5.5
2024-01-31 CVE-2024-22236 Incorrect Permission Assignment for Critical Resource vulnerability in VMWare Spring Cloud Contract
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
local
low complexity
vmware CWE-732
5.5
2023-12-12 CVE-2023-34064 Unspecified vulnerability in VMWare Workspace ONE Launcher
Workspace ONE Launcher contains a Privilege Escalation Vulnerability. A malicious actor with physical access to Workspace ONE Launcher could utilize the Edge Panel feature to bypass setup to gain access to sensitive information.
low complexity
vmware
4.6
2023-11-28 CVE-2023-34055 Unspecified vulnerability in VMWare Spring Boot
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath
network
low complexity
vmware
6.5