Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 216537 entries
IDDescriptionPriorityModified date
CVE-2022-31004 CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in \'data.js\' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a hot fix for version 1.1.1 and for the 2.x branch. MEDIUM Jun 2, 2022
CVE-2022-31002 Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sdp to FreeSWITCH, which may cause a crash. This type of crash may be caused by a URL ending with `%`. Version 1.13.8 contains a patch for this issue. MEDIUM Jun 1, 2022
CVE-2022-31001 Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sdp to FreeSWITCH, which may cause crash. This type of crash may be caused by `#define MATCH(s, m) (strncmp(s, m, n = sizeof(m) - 1) == 0)`, which will make `n` bigger and trigger out-of-bound access when `IS_NON_WS(s[n])`. Version 1.13.8 contains a patch for this issue. MEDIUM Jun 1, 2022
CVE-2022-31000 solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\'s adjustments if they hold its number, and the execution happens on a store administrator\'s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch. MEDIUM Jun 1, 2022
CVE-2022-30836 Wedding Management System v1.0 is vulnerable to SQL Injection. via Wedding-Management/admin/select.php. MEDIUM Jun 2, 2022
CVE-2022-30835 Wedding Management System v1.0 is vulnerable to SQL Injection. via /Wedding-Management/admin/budget.php?booking_id=. MEDIUM Jun 2, 2022
CVE-2022-30834 Wedding Management System v1.0 is vulnerable to SQL Injection via /Wedding-Management/admin/client_manage_account_details.php?booking_id=31&user_id= MEDIUM Jun 2, 2022
CVE-2022-30833 Wedding Management System v1.0 is vulnerable to SQL Injection via /Wedding-Management/admin/client_edit.php?booking=31&user_id=. MEDIUM Jun 2, 2022
CVE-2022-30832 Wedding Management System v1.0 is vulnerable to SQL Injection via /Wedding-Management/admin/client_assign.php?booking=31&user_id=. MEDIUM Jun 2, 2022
CVE-2022-30831 Wedding Management System v1.0 is vulnerable to SQL Injection via Wedding-Management/wedding_details.php. MEDIUM Jun 2, 2022
CVE-2022-30830 Wedding Management System v1.0 is vulnerable to SQL Injection via \\admin\\feature_edit.php. MEDIUM Jun 2, 2022
CVE-2022-30829 Wedding Management System v1.0 is vulnerable to SQL Injection via \\admin\\users_edit.php. MEDIUM Jun 2, 2022
CVE-2022-30828 Wedding Management System v1.0 is vulnerable to SQL Injection via \\admin\\photos_edit.php. MEDIUM Jun 2, 2022
CVE-2022-30827 Wedding Management System v1.0 is vulnerable to SQL Injection via \\admin\\package_edit.php. MEDIUM Jun 2, 2022
CVE-2022-30826 Wedding Management System v1.0 is vulnerable to SQL Injection via admin\\client_assign.php. MEDIUM Jun 2, 2022
CVE-2022-30825 Wedding Management System v1.0 is vulnerable to SQL Injection via \\admin\\client_edit.php. MEDIUM Jun 2, 2022
CVE-2022-30823 Wedding Management System v1.0 is vulnerable to SQL Injection via \\admin\\blog_events_edit.php. MEDIUM Jun 2, 2022
CVE-2022-30822 In Wedding Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of users_profile.php file. MEDIUM Jun 2, 2022
CVE-2022-30821 In Wedding Management System v1.0, the editing function of the Services module in the background management system has an arbitrary file upload vulnerability in the picture upload point of package_edit.php file. MEDIUM Jun 2, 2022
CVE-2022-30820 In Wedding Management v1.0, there is an arbitrary file upload vulnerability in the picture upload point of users_edit.php file. MEDIUM Jun 2, 2022
CVE-2022-30819 In Wedding Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of photos_edit.php file. MEDIUM Jun 2, 2022
CVE-2022-30818 Wedding Management System v1.0 is vulnerable to SQL injection via /Wedding-Management/admin/blog_events_edit.php?id=31. MEDIUM Jun 2, 2022
CVE-2022-30804 elitecms v1.01 is vulnerable to Delete any file via /admin/delete_image.php?file=. MEDIUM Jun 2, 2022
CVE-2022-30799 Online Ordering System v1.0 by oretnom23 has SQL injection via store/orderpage.php. MEDIUM Jun 2, 2022
CVE-2022-30798 Online Ordering System v1.0 by oretnom23 is vulnerable to SQL Injection via admin/viewreport.php. MEDIUM Jun 2, 2022
CVE-2022-30795 Online Ordering System v1.0 by oretnom23 is vulnerable to SQL Injection via admin/editproductimage.php. MEDIUM Jun 2, 2022
CVE-2022-30794 Online Ordering System v1.0 by oretnom23 is vulnerable to SQL Injection via admin/editproductetails.php. MEDIUM Jun 2, 2022
CVE-2022-30540 The affected product is vulnerable to a heap-based buffer overflow via uninitialized pointer, which may allow an attacker to execute arbitrary code MEDIUM Jun 2, 2022
CVE-2022-30514 School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:126. MEDIUM Jun 2, 2022
CVE-2022-30513 School Dormitory Management System v1.0 is vulnerable to reflected cross-site scripting (XSS) via admin/inc/navigation.php:125 MEDIUM Jun 2, 2022
CVE-2022-30496 SQL injection in Logon Page of IDCE MV\'s application, version 1.0, allows an attacker to inject SQL payloads in the user field, connecting to a database to access enterprise\'s private and sensitive information. MEDIUM Jun 2, 2022
CVE-2022-30349 siteserver SSCMS 6.15.51 is vulnerable to Cross Site Scripting (XSS). MEDIUM Jun 2, 2022
CVE-2022-30237 A CWE-311: Missing Encryption of Sensitive Data vulnerability exists that could allow authentication credentials to be recovered when an attacker breaks the encoding. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) MEDIUM Jun 3, 2022
CVE-2022-30236 A CWE-669: Incorrect Resource Transfer Between Spheres vulnerability exists that could allow unauthorized access when an attacker uses cross-domain attacks. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) MEDIUM Jun 3, 2022
CVE-2022-30235 A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) MEDIUM Jun 3, 2022
CVE-2022-30233 A CWE-20: Improper Input Validation vulnerability exists that could allow the product to be maliciously manipulated when the user is tricked into performing certain actions on a webpage. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) MEDIUM Jun 3, 2022
CVE-2022-30232 A CWE-20: Improper Input Validation vulnerability exists that could cause potential remote code execution when an attacker is able to intercept and modify a request on the same network or has configuration access to an ION device on the network. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) MEDIUM Jun 3, 2022
CVE-2022-30128 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability MEDIUM Jun 2, 2022
CVE-2022-30127 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability MEDIUM Jun 2, 2022
CVE-2022-29788 libmobi before v0.10 contains a NULL pointer dereference via the component mobi_buffer_getpointer. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted mobi file. MEDIUM Jun 2, 2022
CVE-2022-29784 PublicCMS V4.0.202204.a and below contains an information leak via the component /views/directive/sys/SysConfigDataDirective.java. MEDIUM Jun 3, 2022
CVE-2022-29778 D-Link DIR-890L 1.20b01 allows attackers to execute arbitrary code due to the hardcoded option Wake-On-Lan for the parameter \'descriptor\' at SetVirtualServerSettings.php MEDIUM Jun 3, 2022
CVE-2022-29767 adbyby v2.7 allows external users to make connections via port 8118. This can cause a program logic error and lead to a Denial of Service (DoS) via high CPU usage due to a large number of connections. MEDIUM Jun 3, 2022
CVE-2022-29735 Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 allows attackers to execute arbitrary commands via a crafted HTTP request. MEDIUM Jun 2, 2022
CVE-2022-29733 Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 was discovered to transmit and store sensitive information in cleartext. This vulnerability allows attackers to intercept HTTP Cookie authentication credentials via a man-in-the-middle attack. MEDIUM Jun 2, 2022
CVE-2022-29732 Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 was discovered to contain a cross-site scripting (XSS) vulnerability via the Username parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. MEDIUM Jun 2, 2022
CVE-2022-29731 An access control issue in ICT Protege GX/WX 2.08 allows attackers to leak SHA1 password hashes of other users. MEDIUM Jun 2, 2022
CVE-2022-29729 Verizon 4G LTE Network Extender GA4.38 - V0.4.038.2131 utilizes a weak default admin password generation algorithm which generates passwords that are accessible to unauthenticated attackers via the webUI login page. MEDIUM Jun 2, 2022
CVE-2022-29725 An arbitrary file upload in the image upload component of wityCMS v0.6.2 allows attackers to execute arbitrary code via a crafted PHP file. MEDIUM Jun 2, 2022
CVE-2022-29718 Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links. MEDIUM Jun 3, 2022
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online