Published: 07/06/2023 Updated: 14/06/2023

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

This vulnerability allows remote malicious users to disclose sensitive information on affected installations of VMware Aria Operations for Networks. Authentication is required to exploit this vulnerability. The specific flaw exists within the exportPDF method. The issue results from the lack of proper validation of a user-supplied string before using it to execute JavaScript code. An attacker can leverage this vulnerability to disclose information in the context of the service account.

Vulnerable Product	Search on Vulmon	Subscribe to Product
vmware vrealize network insight

A (cautionary) tale of two patched bugs, both exploited in the wild

The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources One affects VMware's monitoring tool and the other TP-Link routers

Miscreants are right now exploiting two security bugs for which patches exist, one in a VMware network and applications monitoring tool and the other in some TP-Link routers. VMware two weeks ago issued a fix for CVE-2023-20887, a critical command-injection vulnerability in Aria Operations for Networks that can be abused to achieve remote code execution. Meanwhile, TP-Link patched CVE-2023-1389 in mid-March. This is another command-injection vulnerability that can lead to remote code execution. ...

CVE-2023-20889

Vulnerability Summary

Vulnerability Trend

Recent Articles

References

Vulmon Search

About

Products

Connect