Description
VMware VirtualCenter 2.5 before Update 2 and 2.0.2 before Update 5 relies on client-side "enabled/disabled functionality" for access control, which allows remote attackers to determine valid user names by enabling functionality in the GUI and then making an "attempt to assign permissions to other system users."
References (10)
Core 10
Core References
Vendor Advisory x_refsource_confirm
http://www.vmware.com/support/vi3/doc/releasenotes_vc202u5.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31468
Patch, Vendor Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2008-0012.html
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2363
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44425
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/4150
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1020693
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/30664
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/495386/100/0/threaded
Various Sources x_refsource_misc
http://www.insomniasec.com/advisories/ISVA-080812.1.htm
Scores
EPSS
0.0047
EPSS Percentile
65.0%
Details
CWE
CWE-200
Status
published
Products (3)
vmware/virtualcenter
2.0.2 (3 CPE variants)
vmware/virtualcenter
2.5 (2 CPE variants)
vmware/virtualcenter
< 2.0.2
Published
Aug 13, 2008
Tracked Since
Feb 18, 2026