CVE Daily
← All tags

Tag: VMware vCenter Server

All CVEs associated with "VMware vCenter Server". Page 1/2 • 129 CVEs.

About “VMware vCenter Server”

A curated feed of “VMware vCenter Server”-related CVEs appears below. We currently track 129 CVEs for this tag (all time). In the last 365 days, 5 were published. Average CVSS is 6.9 (all time; 7.1 over 365d), and 53% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-269 - Improper Privilege Management, CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection'), CWE-863 - Incorrect Authorization.

In our taxonomy this topic maps to a MODERATE impact class. Virtualization and VDI management can impact many hosts at once. Patch the management plane first, restrict management networks, and verify backup or snapshot workflows. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: vcenter

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
9.19.1.0.0
9.09.0.2.0
8.08.0 U3i
7.07.0 U3w Expired
6.76.7 U3w Expired
6.56.5 U3w Expired
6.06.0 U3j Expired
5.55.5 U3k Expired
5.15.1 U3d Expired
5.05.0 U3g Expired
44.1 U3a Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “VMware vCenter Server”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-02-25
Medium

CVE-2026-22721

VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with privileges in vCenter to access Aria Operations may leverage this vulnerability to obtain administrative a…

CVSS: 6.2 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-09-29
High

CVE-2025-41250

VMware vCenter contains an SMTP header injection vulnerability. A malicious actor with non-administrative privileges on vCenter who has permission to create scheduled tasks may be able to manipulate…

CVSS: 8.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
High

CVE-2025-41246

VMware Tools for Windows contains an improper authorisation vulnerability due to the way it handles user access controls. A malicious actor with non-administrative privileges on a guest VM, who is al…

CVSS: 7.6 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-07-29
Medium

CVE-2025-41241

VMware vCenter contains a denial-of-service vulnerability. A malicious actor who is authenticated through vCenter and has permission to perform API calls for guest OS customisation may trigger this v…

CVSS: 4.4 CWE: CWE-754 - Improper Check for Unusual or Exceptional Conditions View on NVD
2025-06-26
High

CVE-2025-37101

A potential security vulnerability has been identified in HPE OneView for VMware vCenter (OV4VC). This vulnerability could be exploited allowing an attacker with read only privilege to cause Vertical…

CVSS: 8.7 CWE: CWE-269 - Improper Privilege Management View on NVD
2025-05-20
Medium

CVE-2025-41228

VMware ESXi and vCenter Server contain a reflected cross-site scripting vulnerability due to improper input validation. A malicious actor with network access to the login page of certain ESXi host or…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2025-41226

VMware ESXi contains a denial-of-service vulnerability that occurs when performing a guest operation. A malicious actor with guest operation privileges on a VM, who is already authenticated through v…

CVSS: 6.8 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2025-41225

The vCenter Server contains an authenticated command-execution vulnerability. A malicious actor with privileges to create or modify alarms and run script action may exploit this issue to run arbitrar…

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2025-03-17
High

CVE-2025-2241

A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object af…

CVSS: 8.2 CWE: CWE-922 - Insecure Storage of Sensitive Information View on NVD
2025-03-03
Medium

CVE-2024-55064

Multiple cross-site scripting (XSS) vulnerabilities in EasyVirt DC NetScope <= 8.6.4 allow remote attackers to inject arbitrary JavaScript or HTML code via the (1) smtp_server, (2) smtp_account, (3)…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-09-17
High

CVE-2024-38813

The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a sp…

CVSS: 7.5 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
Critical

CVE-2024-38812

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sendi…

CVSS: 9.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
2024-06-25
Medium

CVE-2024-37087

The vCenter Server contains a denial-of-service vulnerability. A malicious actor with network access to vCenter Server may create a denial-of-service condition.

CVSS: 5.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2024-22385

Incorrect Default Permissions vulnerability in Hitachi Storage Provider for VMware vCenter allows local users to read and write specific files.This issue affects Hitachi Storage Provider for VMware v…

CVSS: 4.4 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2024-06-18
High

CVE-2024-37081

The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issue…

CVSS: 7.8 CWE: CWE-556 - ASP.NET Misconfiguration: Use of Identity Impersonation View on NVD
Critical

CVE-2024-37080

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2024-37079

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2024-05-21
Medium

CVE-2024-22275

The vCenter Server contains a partial file read vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to partially read arbitrary files…

CVSS: 4.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2024-22274

The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitra…

CVSS: 7.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-01-30
High

CVE-2024-21840

Incorrect Default Permissions vulnerability in Hitachi Storage Plug-in for VMware vCenter allows local users to read and write specific files. This issue affects Hitachi Storage Plug-in for VMware v…

CVSS: 7.9 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2023-11-22
High

CVE-2023-43082

Dell Unity prior to 5.3 contains a 'man in the middle' vulnerability in the vmadapter component. If a customer has a certificate signed by a third-party public Certificate Authority, the vCenter CA c…

CVSS: 8.6 CWE: CWE-295 - Improper Certificate Validation View on NVD
2023-10-25
Medium

CVE-2023-34056

vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

CVSS: 4.3 CWE: CWE-922 - Insecure Storage of Sensitive Information View on NVD
Critical

CVE-2023-34048

vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write p…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2023-06-22
Medium

CVE-2023-20896

The VMware vCenter Server contains an out-of-bounds read vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-boun…

CVSS: 5.9 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2023-20895

The VMware vCenter Server contains a memory corruption vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger a memory corrupt…

CVSS: 8.1 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2023-20894

The VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bou…

CVSS: 8.1 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2023-20893

The VMware vCenter Server contains a use-after-free vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may exploit this issue to execu…

CVSS: 8.1 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2023-20892

The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Serve…

CVSS: 8.1 CWE: CWE-787 - Out-of-bounds Write View on NVD
2023-03-01
Medium

CVE-2022-37935

HPE OneView for VMware vCenter, in certain circumstances, may disclose the “HPE OneView” Username and Password.

CVSS: 5.5 CWE: N/A View on NVD
2023-01-31
High

CVE-2022-4441

Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects Hitachi Storage Plug-in…

CVSS: 7.6 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
Medium

CVE-2022-4041

Incorrect Privilege Assignment vulnerability in Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation. This issue affects Hitachi Storage Plug-in…

CVSS: 5.9 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2022-12-13
Medium

CVE-2022-31698

The vCenter Server contains a denial-of-service vulnerability in the content library service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to trigger a d…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2022-31697

The vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plaintext. A malicious actor with access to a workstation that invoked a vCenter Server Applia…

CVSS: 5.5 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2022-10-07
Critical

CVE-2022-31680

The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). A malicious actor with admin access on vCenter server may exploit this issue to execute…

CVSS: 9.1 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2022-10-06
Medium

CVE-2022-2637

Incorrect Privilege Assignment vulnerability in Hitachi Hitachi Storage Plug-in for VMware vCenter allows remote authenticated users to cause privilege escalation.This issue affects Hitachi Storage P…

CVSS: 5.4 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2022-07-13
High

CVE-2022-22982

The vCenter Server contains a server-side request forgery (SSRF) vulnerability. A malicious actor with network access to 443 on the vCenter Server may exploit this issue by accessing a URL request ou…

CVSS: 7.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2022-03-29
Medium

CVE-2022-22948

The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue…

CVSS: 6.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2021-11-24
Critical

CVE-2021-22049

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter…

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
High

CVE-2021-21980

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain acce…

CVSS: 7.5 CWE: N/A View on NVD
2021-11-10
High

CVE-2021-22048

The vCenter Server contains a privilege escalation vulnerability in the IWA (Integrated Windows Authentication) authentication mechanism. A malicious actor with non-administrative access to vCenter S…

CVSS: 8.8 CWE: N/A View on NVD
2021-09-23
Medium

CVE-2021-22020

The vCenter Server contains a denial-of-service vulnerability in the Analytics service. Successful exploitation of this issue may allow an attacker to create a denial-of-service condition on vCenter…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-22019

The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. A malicious actor with network access to port 5480 on vCenter Server may exploit this issue by sending a s…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2021-22018

The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. A malicious actor with network access to port 9087 on vCenter Server may exploit t…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2021-22017

Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-22016

The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. An attacker may exploit this issue to execute malicious scripts by tricking a victim in…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2021-22015

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may…

CVSS: 7.8 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
High

CVE-2021-22014

The vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). An authenticated VAMI user with network access to port 5480 on vCenter…

CVSS: 7.2 CWE: N/A View on NVD
High

CVE-2021-22013

The vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. A malicious actor with network access to port 443 on vCenter Server…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2021-22012

The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2021-22011

vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to…

CVSS: 5.3 CWE: N/A View on NVD
High

CVE-2021-22010

The vCenter Server contains a denial-of-service vulnerability in VPXD service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to create a denial of service…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2021-22009

The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service. A malicious actor with network access to port 443 on vCenter Server may exploit these issues to c…

CVSS: 7.5 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
High

CVE-2021-22008

The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by sendin…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2021-22007

The vCenter Server contains a local information disclosure vulnerability in the Analytics service. An authenticated user with non-administrative privilege may exploit this issue to gain access to sen…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-22006

The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. A malicious actor with network access to port 443 on vCenter Server may exploit this issu…

CVSS: 7.5 CWE: N/A View on NVD
Critical

CVE-2021-22005

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2021-21993

The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. An authorised user with access to content library…

CVSS: 6.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2021-09-22
Medium

CVE-2021-21992

The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or…

CVSS: 6.5 CWE: N/A View on NVD
High

CVE-2021-21991

The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may explo…

CVSS: 7.8 CWE: N/A View on NVD
2021-06-03
Medium

CVE-2021-26584

A security vulnerability in HPE OneView for VMware vCenter (OV4VC) could be exploited remotely to allow Cross-Site Scripting. HPE has released the following software update to resolve the vulnerabili…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-05-26
Critical

CVE-2021-21986

The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availab…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2021-21985

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A mali…

CVSS: 9.8 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2021-03-15
Critical

CVE-2021-26987

Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to R…

CVSS: 9.8 CWE: N/A View on NVD
2021-02-27
Medium

CVE-2020-28972

In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-02-24
Medium

CVE-2021-21973

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 44…

CVSS: 5.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Critical

CVE-2021-21972

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with…

CVSS: 9.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-10-20
High

CVE-2020-3994

VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate v…

CVSS: 7.4 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-08-21
Medium

CVE-2020-3976

VMware ESXi and vCenter Server contain a partial denial of service vulnerability in their respective authentication services. VMware has evaluated the severity of this issue to be in the Moderate sev…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2020-04-10
Critical

CVE-2020-3952

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2019-12-18
Medium

CVE-2019-11992

A security vulnerability in HPE OneView for VMware vCenter 9.5 could be exploited remotely to allow Cross-Site Scripting.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-10-28
Medium

CVE-2019-5538

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2019-5537

Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-09-18
Medium

CVE-2019-5531

VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b…

CVSS: 5.4 CWE: CWE-613 - Insufficient Session Expiration View on NVD
High

CVE-2019-5534

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose l…

CVSS: 7.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2019-5532

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtua…

CVSS: 7.7 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2019-09-03
High

CVE-2019-6179

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior…

CVSS: 7.5 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2019-07-12
High

CVE-2019-11242

A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCen…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2019-04-29
High

CVE-2019-5492

Element Plug-in for vCenter Server versions prior to 4.2.3 may disclose sensitive account information to an unauthenticated attacker. NetApp HCI Compute Node versions prior to 1.4P2 bundle affected v…

CVSS: 7.5 CWE: N/A View on NVD
2019-04-17
High

CVE-2019-3709

IsilonSD Management Server 1.1.0 contains a cross-site scripting vulnerability while registering vCenter servers. A remote attacker can trick an admin user to potentially exploit this vulnerability t…

CVSS: 8.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-09-17
High

CVE-2018-1223

Cloud Foundry Container Runtime (kubo-release), versions prior to 0.14.0, may leak UAA and vCenter credentials to application logs. A malicious user with the ability to read the application logs coul…

CVSS: 8.8 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2018-01-22
High

CVE-2018-5761

A man-in-the-middle vulnerability related to vCenter access was found in Rubrik CDM 3.x and 4.x before 4.0.4-p2. This vulnerability might expose Rubrik user credentials configured to access vCenter a…

CVSS: 8.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2017-12-20
High

CVE-2017-4943

VMware vCenter Server Appliance (vCSA) (6.5 before 6.5 U1d) contains a local privilege escalation vulnerability via the 'showlog' plugin. Successful exploitation of this issue could result in a low p…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2017-11-17
High

CVE-2017-4927

VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) does not correctly handle specially crafted LDAP network packets which may allow for remote denial of service.

CVSS: 7.5 CWE: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') View on NVD
2017-10-05
High

CVE-2017-1378

IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) disclosed unencrypted login credentials to Vmware vCenter in the application trace output which could be obtained by a local user. I…

CVSS: 7.8 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2017-09-15
Medium

CVE-2017-4926

VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker with VC user privileges can inject malicious java-scripts which…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2017-08-01
Critical

CVE-2017-4923

VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure vulnerability. This issue may allow plaintext credentials to be obtained when using the vCenter Server Appliance file-ba…

CVSS: 9.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2017-4922

VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure issue due to the service startup script using world writable directories as temporary storage for critical information.…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2017-4921

VMware vCenter Server (6.5 prior to 6.5 U1) contains an insecure library loading issue that occurs due to the use of LD_LIBRARY_PATH variable in an unsafe manner. Successful exploitation of this issu…

CVSS: 8.8 CWE: N/A View on NVD
2017-07-28
Critical

CVE-2017-4919

VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate.

CVSS: 9.0 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2017-06-07
Critical

CVE-2017-4917

VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x locally stores vCenter Server credentials using reversible encryption. This issue may allow plaintext credentials to be obtained.

CVSS: 9.8 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2017-02-21
High

CVE-2015-4057

The "Plug-in for VMware vCenter" in VCE Vision Intelligent Operations before 2.6.5 sends a cleartext HTTP response upon a request for the Settings screen, which allows remote attackers to discover th…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-02-01
Medium

CVE-2016-6110

IBM Tivoli Storage Manager discloses unencrypted login credentials to Vmware vCenter that could be obtained by a local user.

CVSS: 6.5 CWE: CWE-255 View on NVD
2016-12-29
Critical

CVE-2016-7460

The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of ser…

CVSS: 9.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
High

CVE-2016-7459

VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML docum…

CVSS: 7.7 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Medium

CVE-2016-7458

VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjun…

CVSS: 5.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-08-08
Medium

CVE-2016-5331

CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified v…

CVSS: 6.1 CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') View on NVD
2016-07-03
Medium

CVE-2015-6931

Cross-site scripting (XSS) vulnerability in the vSphere Web Client in VMware vCenter Server 5.0 before U3g, 5.1 before U3d, and 5.5 before U2d allows remote attackers to inject arbitrary web script o…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2016-06-08
Medium

CVE-2016-2078

Cross-site scripting (XSS) vulnerability in the Web Client in VMware vCenter Server 5.1 before update 3d, 5.5 before update 3d, and 6.0 before update 2 on Windows allows remote attackers to inject ar…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2016-04-15
High

CVE-2016-2076

Client Integration Plugin (CIP) in VMware vCenter Server 5.5 U3a, U3b, and U3c and 6.0 before U2; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4 before 6.2.4.1 mishandles ses…

CVSS: 7.6 CWE: CWE-287 - Improper Authentication View on NVD
2015-12-21
High

CVE-2015-6934

Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
2015-10-12
Critical

CVE-2015-2342

The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitr…

CVSS: 10.0 CWE: N/A View on NVD
Medium

CVE-2015-1047

vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2015-09-18
Medium

CVE-2015-6932

VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify X.509 certificates from TLS LDAP servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive informat…

CVSS: 5.8 CWE: CWE-310 View on NVD
2015-02-01
Medium

CVE-2014-4632

VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 and the proxy client in EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x do not properly ver…

CVSS: 4.3 CWE: CWE-310 View on NVD
2014-12-08
Medium

CVE-2014-8371

VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, whic…

CVSS: 4.3 CWE: CWE-310 View on NVD
Medium

CVE-2014-3797

Cross-site scripting (XSS) vulnerability in VMware vCenter Server Appliance (vCSA) 5.1 before Update 3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2014-06-01
Critical

CVE-2014-3790

Ruby vSphere Console (RVC) in VMware vCenter Server Appliance allows remote authenticated users to execute arbitrary commands as root by escaping from a chroot jail.

CVSS: 9.0 CWE: CWE-264 View on NVD
2013-12-23
Medium

CVE-2013-5973

VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local users to read or modify arbitrary files by leveraging the Virtual Machine Power User or Resource Pool Administrator role for a vCenter Serv…

CVSS: 4.4 CWE: CWE-264 View on NVD
2013-10-21
Medium

CVE-2013-5971

Session fixation vulnerability in the vSphere Web Client Server in VMware vCenter Server 5.0 before Update 3 allows remote attackers to hijack web sessions and gain privileges via unspecified vectors.

CVSS: 6.8 CWE: CWE-264 View on NVD
2013-09-26
Medium

CVE-2012-4092

The management interface in the Central Software component in Cisco Unified Computing System (UCS) does not properly validate the identity of vCenter consoles, which allows man-in-the-middle attacker…

CVSS: 5.8 CWE: CWE-20 - Improper Input Validation View on NVD
2013-06-17
High

CVE-2013-3520

VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-05-29
Medium

CVE-2013-1212

The SSL functionality in Cisco NX-OS on the Nexus 1000V does not properly verify X.509 certificates, which allows man-in-the-middle attackers to spoof servers, and intercept or modify Virtual Supervi…

CVSS: 5.8 CWE: CWE-310 View on NVD
2013-05-01
Medium

CVE-2013-3107

VMware vCenter Server 5.1 before Update 1, when anonymous LDAP binding for Active Directory is enabled, allows remote attackers to bypass authentication by providing a valid username in conjunction w…

CVSS: 4.3 CWE: CWE-264 View on NVD
Critical

CVE-2013-3080

VMware vCenter Server Appliance (vCSA) 5.1 before Update 1 allows remote authenticated users to create or overwrite arbitrary files, and consequently execute arbitrary code or cause a denial of servi…

CVSS: 9.0 CWE: CWE-264 View on NVD
Critical

CVE-2013-3079

VMware vCenter Server Appliance (vCSA) 5.1 before Update 1 allows remote authenticated users to execute arbitrary programs with root privileges by leveraging Virtual Appliance Management Interface (V…

CVSS: 9.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-02-22
High

CVE-2013-1659

VMware vCenter Server 4.0 before Update 4b, 5.0 before Update 2, and 5.1 before 5.1.0b; VMware ESXi 3.5 through 5.1; and VMware ESX 3.5 through 4.1 do not properly implement the Network File Copy (NF…

CVSS: 7.6 CWE: N/A View on NVD
High

CVE-2012-6326

VMware vCenter Server 4.1 before Update 3 and 5.0 before Update 2, and vCSA 5.0 before Update 2, allows remote attackers to cause a denial of service (disk consumption) via vectors that trigger large…

CVSS: 7.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2013-02-15
Critical

CVE-2013-1405

VMware vCenter Server 4.0 before Update 4b and 4.1 before Update 3a, VMware VirtualCenter 2.5, VMware vSphere Client 4.0 before Update 4b and 4.1 before Update 3a, VMware VI-Client 2.5, VMware ESXi 3…

CVSS: 10.0 CWE: CWE-287 - Improper Authentication View on NVD
2012-12-21
Medium

CVE-2012-6325

VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 does not properly parse XML documents, which allows remote authenticated users to read arbitrary files via unspecified vectors.

CVSS: 4.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2012-6324

Directory traversal vulnerability in VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 and 5.1 before Patch 1 allows remote authenticated users to read arbitrary files via unspecified vector…

CVSS: 4.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox