Total
6 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-3985 | 1 Vmware | 1 Sd-wan Orchestrator | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 allows an access to set arbitrary authorization levels leading to a privilege escalation issue. An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges. | |||||
CVE-2020-4001 | 1 Vmware | 1 Sd-wan Orchestrator | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
The SD-WAN Orchestrator 3.3.2, 3.4.x, and 4.0.x has default passwords allowing for a Pass-the-Hash Attack. SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack. | |||||
CVE-2020-4002 | 1 Vmware | 1 Sd-wan Orchestrator | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 handles system parameters in an insecure way. An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system. | |||||
CVE-2020-3984 | 1 Vmware | 1 Sd-wan Orchestrator | 2020-12-07 | 4.0 MEDIUM | 6.5 MEDIUM |
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 does not apply correct input validation which allows for SQL-injection. An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access. | |||||
CVE-2020-4000 | 1 Vmware | 1 Sd-wan Orchestrator | 2020-12-07 | 6.5 MEDIUM | 8.8 HIGH |
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 allows for executing files through directory traversal. An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files. | |||||
CVE-2020-4003 | 1 Vmware | 1 Sd-wan Orchestrator | 2020-12-07 | 4.0 MEDIUM | 6.5 MEDIUM |
VMware SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3, 3.4.x prior to 3.4.4, and 4.0.x prior to 4.0.1 was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure. |