CVE-2016-7459

HIGH

VMware vCenter Server 5.5-6.0 - Authenticated XXE Injection via Log Browser, Distributed Switch, or Content Library

Title source: llm
STIX 2.1

Description

VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94486
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037329
Patch, Vendor Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2016-0022.html

Scores

CVSS v3 7.7
EPSS 0.0055
EPSS Percentile 68.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

CWE
CWE-611
Status published
Products (3)
vmware/vcenter_server 5.0
vmware/vcenter_server 5.5 (5 CPE variants)
vmware/vcenter_server 6.0 (7 CPE variants)
Published Dec 29, 2016
Tracked Since Feb 18, 2026