77 matches found
CVE-2022-22939
VMware Cloud Foundation contains an information disclosure vulnerability due to logging of credentials in plain-text within multiple log files on the SDDC Manager. A malicious actor with root access on VMware Cloud Foundation SDDC Manager may be able to view credentials in plaintext within one or m...
CVE-2024-22280
VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database.
CVE-2025-22222
VMware Aria Operations contains an information disclosure vulnerability. A malicious user with non-administrative privileges may exploit this vulnerability to retrieve credentials for an outbound plugin if a valid service credential ID is known.
CVE-2021-22018
The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. A malicious actor with network access to port 9087 on vCenter Server may exploit this issue to delete non critical files.
CVE-2025-22249
VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
CVE-2021-22025
The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.
CVE-2024-37086
VMware ESXi contains an out-of-bounds read vulnerability. Amalicious actor with local administrative privileges on a virtualmachine with an existing snapshot may trigger an out-of-bounds readleading to a denial-of-service condition of the host.
CVE-2021-22024
The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary log-file read vulnerability. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure.
CVE-2021-22023
The vRealize Operations Manager API (8.x prior to 8.5) has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.
CVE-2024-22235
VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
CVE-2021-22026
The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.
CVE-2023-34043
VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
CVE-2025-22219
VMware Aria Operations for Logs contains a stored cross-site scripting vulnerability. A malicious actor with non-administrative privileges may be able to inject a malicious script that (can perform stored cross-site scripting) may lead to arbitrary operations as admin user.
CVE-2021-22022
The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary file read vulnerability. A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.
CVE-2021-22027
The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.
CVE-2023-20880
VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.
CVE-2025-22221
VMware Aria Operation for Logs contains a stored cross-site scripting vulnerability. A malicious actor with admin privileges to VMware Aria Operations for Logs may be able to inject a malicious script that could be executed in a victim's browser when performing a delete action in the Agent Configur...
CVE-2023-20879
VMware Aria Operations contains a Local privilege escalation vulnerability. A malicious actor with administrative privileges in the Aria Operations application can gain root access to the underlying operating system.
CVE-2024-38830
VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with local administrative privileges may trigger this vulnerability to escalate privileges to root user on the appliance running VMware Aria Operations.
CVE-2021-22021
VMware vRealize Log Insight (8.x prior to 8.4) contains a Cross Site Scripting (XSS) vulnerability due to improper user input validation. An attacker with user privileges may be able to inject a malicious payload via the Log Insight UI which would be executed when the victim accesses the shared das...
CVE-2023-20878
VMware Aria Operations contains a deserialization vulnerability. A malicious actor with administrative privileges can execute arbitrary commands and disrupt the system.
CVE-2020-3993
VMware NSX-T (3.x before 3.0.2, 2.5.x before 2.5.2.2.0) contains a security vulnerability that exists in the way it allows a KVM host to download and install packages from NSX manager. A malicious actor with MITM positioning may be able to exploit this issue to compromise the transport node.
CVE-2024-38832
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to views may be able to inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.
CVE-2024-38834
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to cloud provider might be able to inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.
CVE-2024-38833
VMware Aria Operations contains a stored cross-site scripting vulnerability. A malicious actor with editing access to email templates might inject malicious script leading to stored cross-site scripting in the product VMware Aria Operations.
CVE-2024-38831
VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with local administrative privileges can insert malicious commands into the properties file to escalate privileges to a root user on the appliance running VMware Aria Operations.
CVE-2024-37087
The vCenter Server contains a denial-of-service vulnerability. A malicious actor with network access to vCenter Server may create a denial-of-service condition.