Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 164513 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2023-49978 Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators. -- Mar 21, 2024 n/a
CVE-2023-49837 Uncontrolled Resource Consumption vulnerability in David Artiss Code Embed.This issue affects Code Embed: from n/a through 2.3.6. -- Mar 21, 2024 n/a
CVE-2023-48903 Stored Cross-Site Scripting (XSS) vulnerability in tramyardg autoexpress 1.3.0, allows remote unauthenticated attackers to inject arbitrary web script or HTML within parameter imgType via in uploadCarImages.php. -- Mar 21, 2024 n/a
CVE-2023-48902 An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php. -- Mar 21, 2024 n/a
CVE-2023-48901 A SQL injection vulnerability in tramyardg Autoexpress version 1.3.0, allows remote unauthenticated attackers to execute arbitrary SQL commands via the parameter id within the getPhotosByCarId function call in details.php. -- Mar 21, 2024 n/a
CVE-2023-47715 IBM Storage Protect Plus Server 10.1.0 through 10.1.16 could allow an authenticated user with read-only permissions to add or delete entries from an existing HyperVisor configuration. IBM X-Force ID: 271538. -- Mar 21, 2024 n/a
CVE-2023-46841 Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called shadow stacks, holding little more than return addresses. Shadow stacks aren\'t writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn\'t right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. -- Mar 20, 2024 n/a
CVE-2023-46840 Incorrect placement of a preprocessor directive in source code results in logic that doesn\'t operate as intended when support for HVM guests is compiled out of Xen. -- Mar 20, 2024 n/a
CVE-2023-46839 PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated. This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned. Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain. -- Mar 20, 2024 n/a
CVE-2023-45177 IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS and 9.3 CD is vulnerable to a denial-of-service attack due to an error within the MQ clustering logic. IBM X-Force ID: 268066. -- Mar 21, 2024 n/a
CVE-2023-42954 A privilege escalation issue existed in FileMaker Server, potentially exposing sensitive information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by reducing the information sent in requests. -- Mar 21, 2024 n/a
CVE-2023-41877 GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A path traversal vulnerability in versions 2.23.4 and prior requires GeoServer Administrator with access to the admin console to misconfigure the Global Settings for log file location to an arbitrary location. The admin console GeoServer Logs page provides a preview of these contents. As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not received a patch as of time of publication. As a workaround, a system administrator responsible for running GeoServer can use the `GEOSERVER_LOG_FILE` setting to override any configuration option provided by the Global Settings page. The `GEOSERVER_LOG_LOCATION` parameter can be set as system property, environment variables, or servlet context parameters. -- Mar 20, 2024 n/a
CVE-2023-41038 Firebird is a relational database. Versions 4.0.0 through 4.0.3 and version 5.0 beta1 are vulnerable to a server crash when a user uses a specific form of SET BIND statement. Any non-privileged user with minimum access to a server may type a statement with a long `CHAR` length, which causes the server to crash due to stack corruption. Versions 4.0.4.2981 and 5.0.0.117 contain fixes for this issue. No known workarounds are available. -- Mar 20, 2024 n/a
CVE-2023-38825 SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in MyCapMobileApp/update.php. -- Mar 21, 2024 n/a
CVE-2023-35899 IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 259354. -- Mar 21, 2024 n/a
CVE-2023-35888 IBM Security Verify Governance 10.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 258375. -- Mar 20, 2024 n/a
CVE-2023-7246 The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks -- Mar 20, 2024 n/a
CVE-2023-6500 The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\'s \'shariff\' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as \'secondarycolor\' and \'maincolor\'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. -- Mar 21, 2024 n/a
CVE-2022-44595 Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0. -- Mar 21, 2024 n/a
CVE-2022-4963 A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation leads to sql injection. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is d374a5f77e6b58e36f0e0e4419be18b95edcd7ff. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-257516. -- Mar 21, 2024 n/a
CVE-2020-26942 An issue discovered in Axigen Mail Server 10.3.x before 10.3.1.27 and 10.3.2.x before 10.3.3.1 allows unauthenticated attackers to submit a setAdminPassword operation request, subsequently setting a new arbitrary password for the admin account. -- Mar 21, 2024 n/a
CVE-2024-29156 In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service\'s MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information. -- Mar 18, 2024 n/a
CVE-2024-29154 danielmiessler fabric through 1.3.0 allows installer/client/gui/static/js/index.js XSS because of innerHTML mishandling, such as in htmlToPlainText. -- Mar 18, 2024 n/a
CVE-2024-29151 Rocket.Chat.Audit through 5ad78e8 depends on filecachetools, which does not exist in PyPI. -- Mar 18, 2024 n/a
CVE-2024-29143 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Cozmoslabs, sareiodata Passwordless Login passwordless-login allows Stored XSS.This issue affects Passwordless Login: from n/a through 1.1.2. -- Mar 19, 2024 n/a
CVE-2024-29142 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WebberZone Better Search – Relevant search results for WordPress allows Stored XSS.This issue affects Better Search – Relevant search results for WordPress: from n/a through 3.3.0. -- Mar 19, 2024 n/a
CVE-2024-29141 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in PDF Embedder allows Stored XSS.This issue affects PDF Embedder: from n/a through 4.6.4. -- Mar 19, 2024 n/a
CVE-2024-29140 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Matt Manning MJM Clinic allows Stored XSS.This issue affects MJM Clinic: from n/a through 1.1.22. -- Mar 19, 2024 n/a
CVE-2024-29139 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Mark Tilly MyCurator Content Curation allows Reflected XSS.This issue affects MyCurator Content Curation: from n/a through 3.76. -- Mar 19, 2024 n/a
CVE-2024-29138 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in DEV Institute Restrict User Access – Membership Plugin with Force allows Reflected XSS.This issue affects Restrict User Access – Membership Plugin with Force: from n/a through 2.5. -- Mar 19, 2024 n/a
CVE-2024-29137 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Themefic Tourfic allows Reflected XSS.This issue affects Tourfic: from n/a through 2.11.7. -- Mar 19, 2024 n/a
CVE-2024-29136 Deserialization of Untrusted Data vulnerability in Themefic Tourfic.This issue affects Tourfic: from n/a through 2.11.17. -- Mar 19, 2024 n/a
CVE-2024-29135 Unrestricted Upload of File with Dangerous Type vulnerability in Tourfic.This issue affects Tourfic: from n/a through 2.11.15. -- Mar 19, 2024 n/a
CVE-2024-29134 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Themefic Tourfic allows Stored XSS.This issue affects Tourfic: from n/a through 2.11.8. -- Mar 19, 2024 n/a
CVE-2024-29130 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on allows Reflected XSS.This issue affects Contact Form 7 – PayPal & Stripe Add-on: from n/a through 2.0. -- Mar 19, 2024 n/a
CVE-2024-29129 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WPLIT Pty Ltd OxyExtras allows Reflected XSS.This issue affects OxyExtras: from n/a through 1.4.4. -- Mar 19, 2024 n/a
CVE-2024-29128 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Post SMTP POST SMTP allows Reflected XSS.This issue affects POST SMTP: from n/a through 2.8.6. -- Mar 19, 2024 n/a
CVE-2024-29127 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in AAM Advanced Access Manager allows Reflected XSS.This issue affects Advanced Access Manager: from n/a through 6.9.20. -- Mar 19, 2024 n/a
CVE-2024-29126 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Jose Mortellaro Specific Content For Mobile – Customize the mobile version without redirections allows Reflected XSS.This issue affects Specific Content For Mobile – Customize the mobile version without redirections: from n/a through 0.1.9.5. -- Mar 19, 2024 n/a
CVE-2024-29125 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Elliot Sowersby, RelyWP Coupon Affiliates allows Reflected XSS.This issue affects Coupon Affiliates: from n/a through 5.12.7. -- Mar 19, 2024 n/a
CVE-2024-29124 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in AAM Advanced Access Manager allows Stored XSS.This issue affects Advanced Access Manager: from n/a through 6.9.20. -- Mar 19, 2024 n/a
CVE-2024-29123 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Yannick Lefebvre Link Library allows Reflected XSS.This issue affects Link Library: from n/a through 7.6. -- Mar 19, 2024 n/a
CVE-2024-29122 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Foliovision: Making the web work for you FV Flowplayer Video Player allows Stored XSS.This issue affects FV Flowplayer Video Player: from n/a through 7.5.41.7212. -- Mar 19, 2024 n/a
CVE-2024-29121 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Firassaidi WooCommerce License Manager allows Reflected XSS.This issue affects WooCommerce License Manager: from n/a through 5.3.1. -- Mar 19, 2024 n/a
CVE-2024-29118 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Scrollsequence allows Stored XSS.This issue affects Scrollsequence: from n/a through 1.5.4. -- Mar 19, 2024 n/a
CVE-2024-29117 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Stored XSS.This issue affects Contact Forms by Cimatti: from n/a through 1.7.0. -- Mar 19, 2024 n/a
CVE-2024-29116 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in IconicWP WooThumbs for WooCommerce by Iconic allows Reflected XSS.This issue affects WooThumbs for WooCommerce by Iconic: from n/a through 5.5.3. -- Mar 19, 2024 n/a
CVE-2024-29115 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Zaytech Smart Online Order for Clover allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through 1.5.5. -- Mar 19, 2024 n/a
CVE-2024-29114 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in W3 Eden, Inc. Download Manager allows Stored XSS.This issue affects Download Manager: from n/a through 3.2.84. -- Mar 19, 2024 n/a
CVE-2024-29113 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through 5.2.5.9. -- Mar 19, 2024 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online