6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.208 Low
EPSS
Percentile
96.3%
I Security Issuesa. Setting ActiveX killbitStarting from this release, VMware has set the killbit on itsActiveX controls. Setting the killbit ensures that ActiveXcontrols cannot run in Internet Explorer (IE), and avoidsMicrosoft KB article 240797 and the related references on thistopic.Security vulnerabilities have been reported for ActiveX controlsprovided by VMware when run in IE. Under specific circumstances,exploitation of these ActiveX controls might result in denial-of-service or can allow running of arbitrary code when the userbrowses a malicious Web site or opens a malicious file in IEbrowser. An attempt to run unsafe ActiveX controls in IE mightresult in pop-up windows warning the user.Note: IE can be configured to run unsafe ActiveX controls withoutprompting. VMware recommends that you retain the defaultsettings in IE, which prompts when unsafe actions arerequested.Earlier, VMware had issued knowledge base articles, KB 5965318 andKB 9078920 on security issues with ActiveX controls. To avoidmalicious scripts that exploit ActiveX controls, do not enableunsafe ActiveX objects in your browser settings. As a bestpractice, do not browse untrusted Web sites as an administratorand do not click OK or Yes if prompted by IE to allow certainactions.VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,and Michal Bucko for reporting these issues to us.The Common Vulnerabilities and Exposures Project (cve.mitre.org)has assigned the names CVE-2008-3691, CVE-2008-3692,CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, andCVE-2008-3696 to the security issues with VMware ActiveX controls.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5438
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5503
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1806
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1808
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2101
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3691
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3692
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3693
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3694
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3695
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3696
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3697
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3698
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.208 Low
EPSS
Percentile
96.3%