Executive Summary
| Summary | |
|---|---|
| Title | VMware vCenter Operations, CapacityIQ, and Movie Decoder security updates |
| Informations | |||
|---|---|---|---|
| Name | VMSA-2012-0014 | First vendor Publication | 2012-10-04 |
| Vendor | VMware | Last vendor Modification | 2012-10-04 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 6.9 | Attack Range | Local |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 3.4 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| a. VMware Movie Decoder Installer binary planting vulnerability The installer of the VMware Movie Decoder has a binary planting vulnerability. An attacker who can write their malicious executable to the same folder as where the installer of the Movie Decoder is located may be able to run their code when the installation is started. VMware would like to thank Mitja Kolsek of ACROS Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-4897 to this issue. b. vCenter Operations cross-site scripting vulnerability The vCenter Operations server contains a cross-site scripting vulnerability that allows an attacker to steal an administrator's session cookie. To exploit this vulnerability, the attacker must convince the administrator to click on a malicious link. VMware would like to thank Alexander Minozhenko of ERPScan for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-5050 to this issue. c. vCenter CapacityIQ path traversal vulnerability vCenter CapacityIQ contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files. VMware would like to thank Alexander Minozhenko of ERPScan for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-5051 to this issue. |
Original Source
| Url : http://www.vmware.com/security/advisories/VMSA-2012-0014.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
| 50 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 | |
| Application | 6 | |
| Application | 2 |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2012-11-30 | Name : The movie decoder installed on the remote Windows host is affected by a DLL l... File : vmware_movie_decoder_9_0.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 12:07:24 |
|
