Executive Summary

Title VMware vCenter Chargeback Manager Remote Code Execution
Name VMSA-2013-0008 First vendor Publication 2013-06-11
Vendor VMware Last vendor Modification 2013-06-11
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


a. vCenter Chargeback Manager Remote Code Execution

The vCenter Chargeback Manager (CBM) contains a flaw in its handling of file uploads. Exploitation of this issue may allow an unauthenticated attacker to execution code remotely.

VMware would like to thank Andrea Micalizzi, aka rgod, for reporting this issue to us through HP's Zero Day Initiative (ZDI).

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3520 to this issue.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2013-0008.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

Application 6

Snort® IPS/IDS

Date Description
2016-06-22 VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file uploa...
RuleID : 38965 - Revision : 3 - Type : SERVER-WEBAPP
2016-06-22 VMware vCenter Chargeback Manager ImageUploadServlet arbitrary JSP file uploa...
RuleID : 38964 - Revision : 3 - Type : POLICY-OTHER

Nessus® Vulnerability Scanner

Date Description
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2013-0008.nasl - Type : ACT_GATHER_INFO
2013-06-14 Name : The remote Windows host has an application installed that is potentially affe...
File : vmware_vcenter_chargeback_manager_251.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
Date Informations
2014-11-27 13:28:44
  • Multiple Updates
2014-02-17 12:07:27
  • Multiple Updates
2013-09-09 21:21:04
  • First insertion