Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 216537 entries
IDDescriptionPriorityModified date
CVE-2017-9343 In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP dissector misuses a NULL pointer. This was addressed in epan/dissectors/packet-msnip.c by validating an IPv4 address. MEDIUM Jun 5, 2017
CVE-2017-9340 An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2. MEDIUM Jul 17, 2017
CVE-2017-9339 A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. MEDIUM Jul 17, 2017
CVE-2017-9338 Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue. LOW Jul 17, 2017
CVE-2017-9337 The Markdown on Save Improved plugin 2.5 for WordPress has a stored XSS vulnerability in the content of a post. MEDIUM Jun 9, 2017
CVE-2017-9336 The WP Editor.MD plugin 1.6 for WordPress has a stored XSS vulnerability in the content of a post. MEDIUM Jun 9, 2017
CVE-2017-9334 An incorrect pair? check in the Scheme length procedure results in an unsafe pointer dereference in all CHICKEN Scheme versions prior to 4.13, which allows an attacker to cause a denial of service by passing an improper list to an application that calls length on it. MEDIUM Jun 9, 2017
CVE-2017-9333 OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted users can trigger CallOPKG calls, and these users can enter an arbitrary URL in an input field, even though that input field was only intended for a package name. This threat model may be relevant in the latest versions of third-party products that bundle OpenWebif, i.e., set-top box products. The issue of Trojan horse packages does NOT have security implications in cases where the attacker has full OpenWebif access. Medium Sep 21, 2017
CVE-2017-9332 The smarty_self function in modules/module_smarty.php in PivotX 2.3.11 mishandles the URI, allowing XSS via vectors involving quotes in the self Smarty tag. MEDIUM Jun 6, 2017
CVE-2017-9331 The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS) vulnerability in modules/Utils/RecordBrowser/RecordBrowserCommon_0.php, which allows remote attackers to inject arbitrary web script or HTML via a crafted meeting description parameter. LOW Jun 9, 2017
CVE-2017-9330 QEMU (aka Quick Emulator), when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value. LOW Jun 9, 2017
CVE-2017-9328 Shell metacharacter injection vulnerability in /usr/www/include/ajax/GetTest.php in TerraMaster TOS before 3.0.34 leads to remote code execution as root. HIGH Sep 15, 2017
CVE-2017-9327 Secret data of processes managed by CM is not secured by file permissions. MEDIUM Jul 11, 2019
CVE-2017-9326 The keystore password for the Spark History Server may be exposed in unsecured files under the /var/run/cloudera-scm-agent directory managed by Cloudera Manager. The keystore file itself is not exposed. LOW Jul 11, 2019
CVE-2017-9325 The provided secure solrconfig.xml sample configuration does not enforce Sentry authorization on /update/json/docs. MEDIUM Jul 11, 2019
CVE-2017-9324 In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with agent permission is capable of opening a specific URL in a browser to gain administrative privileges / full access. Afterward, all system settings can be read and changed. The URLs in question contain index.pl?Action=Installer with ;Subaction=Intro or ;Subaction=Start or ;Subaction=System appended at the end. MEDIUM Jun 12, 2017
CVE-2017-9323 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2017. Notes: none -- Nov 7, 2023
CVE-2017-9322 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2017. Notes: none -- Nov 7, 2023
CVE-2017-9321 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2017. Notes: none -- Nov 7, 2023
CVE-2017-9317 Privilege escalation vulnerability found in some Dahua IP devices. Attacker in possession of low privilege account can gain access to credential information of high privilege account and further obtain device information or attack the device. MEDIUM May 23, 2018
CVE-2017-9316 Firmware upgrade authentication bypass vulnerability was found in Dahua IPC-HDW4300S and some IP products. The vulnerability was caused by internal Debug function. This particular function was used for problem analysis and performance tuning during product development phase. It allowed the device to receive only specific data (one direction, no transmit) and therefore it was not involved in any instance of collecting user privacy data or allowing remote code execution. MEDIUM Nov 27, 2017
CVE-2017-9315 Customer of Dahua IP camera or IP PTZ could submit relevant device information to receive a time limited temporary password from Dahua authorized dealer to reset the admin password. The algorithm used in this mechanism is potentially at risk of being compromised and subsequently utilized by attacker. MEDIUM Nov 28, 2017
CVE-2017-9314 Authentication vulnerability found in Dahua NVR models NVR50XX, NVR52XX, NVR54XX, NVR58XX with software before DH_NVR5xxx_Eng_P_V2.616.0000.0.R.20171102. Attacker could exploit this vulnerability to gain access to additional operations by means of forging json message. MEDIUM Nov 13, 2017
CVE-2017-9313 Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1.850 allow remote attackers to inject arbitrary web script or HTML via the sec parameter to view_man.cgi, the referers parameter to change_referers.cgi, or the name parameter to save_user.cgi. NOTE: these issues were not fixed in 1.840. Medium Jul 10, 2017
CVE-2017-9312 Improperly implemented option-field processing in the TCP/IP stack on Allen-Bradley L30ERMS safety devices v30 and earlier causes a denial of service. When a crafted TCP packet is received, the device reboots immediately. HIGH Jun 25, 2018
CVE-2017-9310 QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer. LOW Jun 8, 2017
CVE-2017-9307 SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remote authenticated users to conduct port scans and access intranet servers via a crafted file parameter. MEDIUM Jun 9, 2017
CVE-2017-9306 inc/SP/Html/Html.class.php in sysPass 2.1.9 allows remote attackers to bypass the XSS filter, as demonstrated by use of an <svg/onload= substring instead of an <svg onload= substring. MEDIUM Jun 9, 2017
CVE-2017-9305 lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 allows remote attackers to bypass the XSS filter via padded zero characters, as demonstrated by an attack on tiki-batch_send_newsletter.php. MEDIUM Jun 8, 2017
CVE-2017-9304 libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule that is mishandled in the _yr_re_emit function. MEDIUM Jun 6, 2017
CVE-2017-9303 Laravel 5.4.x before 5.4.22 does not properly constrain the host portion of a password-reset URL, which makes it easier for remote attackers to conduct phishing attacks by specifying an attacker-controlled host. MEDIUM Jun 8, 2017
CVE-2017-9302 RealPlayer 16.0.2.32 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted mp4 file. MEDIUM Jun 8, 2017
CVE-2017-9301 pluginsaudio_filterlibmpgatofixed32_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (invalid read and application crash) or possibly have unspecified other impact via a crafted file. MEDIUM Jun 6, 2017
CVE-2017-9300 pluginscodeclibflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted FLAC file. MEDIUM Jun 6, 2017
CVE-2017-9299 Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS] and Direction=[XSS] attacks. MEDIUM Jun 7, 2017
CVE-2017-9298 Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code. LOW Jun 8, 2017
CVE-2017-9297 Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 allows remote attackers to redirect users to arbitrary web sites. MEDIUM Jun 8, 2017
CVE-2017-9296 Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Tuning Manager before 8.5.2-00 allows remote attackers to redirect authenticated users to arbitrary web sites. MEDIUM Jun 8, 2017
CVE-2017-9295 XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to read arbitrary files. MEDIUM Jun 8, 2017
CVE-2017-9294 RMI vulnerability in Hitachi Device Manager before 8.5.2-01 allows remote attackers to execute internal commands without authentication via RMI ports. HIGH Jun 8, 2017
CVE-2017-9292 Lansweeper before 6.0.0.65 has XSS in an image retrieval URI, aka Bug 542782. MEDIUM Jun 8, 2017
CVE-2017-9289 Bram Korsten Note through 1.2.0 is vulnerable to a reflected XSS in note-sourceuieditor.php (edit parameter). MEDIUM Jun 8, 2017
CVE-2017-9288 The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected XSS in sendtesterror.php (backurl parameter). MEDIUM Jun 8, 2017
CVE-2017-9287 servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to a double free vulnerability. A user with access to search the directory can crash slapd by issuing a search including the Paged Results control with a page size of 0. MEDIUM Jun 8, 2017
CVE-2017-9286 The packaging of NextCloud in openSUSE used /srv/www/htdocs in an unsafe manner, which could have allowed scripts running as wwwrun user to escalate privileges to root during nextcloud package upgrade. HIGH Mar 1, 2018
CVE-2017-9285 NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions when ebaclient was used, allowing unpermitted access to eDirectory services. HIGH Mar 2, 2018
CVE-2017-9284 IDM 4.6 Identity Applications prior to 4.6.2.1 may expose sensitive information. MEDIUM Apr 26, 2018
CVE-2017-9283 An out-of-bounds read (CWE-125) vulnerability exists in Micro Focus VisiBroker 8.5. The feasibility of leveraging this vulnerability for further attacks was not assessed. HIGH Sep 21, 2017
CVE-2017-9282 An integer overflow (CWE-190) led to an out-of-bounds write (CWE-787) on a heap-allocated area, leading to heap corruption in Micro Focus VisiBroker 8.5. The feasibility of leveraging this vulnerability for further attacks was not assessed. HIGH Sep 21, 2017
CVE-2017-9281 An integer overflow (CWE-190) potentially causing an out-of-bounds read (CWE-125) vulnerability in Micro Focus VisiBroker 8.5 can lead to a denial of service. MEDIUM Sep 21, 2017
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online