Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 164513 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2022-1044 Sensitive Data Exposure Due To Insecure Storage Of Profile Image in GitHub repository polonel/trudesk prior to v1.2.1. MEDIUM May 12, 2022 n/a
CVE-2022-1043 A flaw was found in the Linux kernel’s io_uring implementation. This flaw allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges. -- Mar 24, 2022 n/a
CVE-2022-1042 In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. -- Jul 26, 2022 n/a
CVE-2022-1041 In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. -- Jul 26, 2022 n/a
CVE-2022-1040 An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older. HIGH Mar 25, 2022 n/a
CVE-2022-1039 The weak password on the web user interface can be exploited via HTTP or HTTPS. Once such access has been obtained, the other passwords can be changed. The weak password on Linux accounts can be accessed via SSH or Telnet, the former of which is by default enabled on trusted interfaces. While the SSH service does not support root login, a user logging in using either of the other Linux accounts may elevate to root access using the su command if they have access to the associated password. HIGH Apr 20, 2022 n/a
CVE-2022-1038 A potential security vulnerability has been identified in the HP Jumpstart software, which might allow escalation of privilege. HP is recommending that customers uninstall HP Jumpstart and use myHP software. -- Dec 12, 2022 n/a
CVE-2022-1037 The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs MEDIUM Apr 18, 2022 n/a
CVE-2022-1036 Able to create an account with long password leads to memory corruption / Integer Overflow in GitHub repository microweber/microweber prior to 1.2.12. MEDIUM Mar 23, 2022 n/a
CVE-2022-1035 Segmentation Fault caused by MP4Box -lsr in GitHub repository gpac/gpac prior to 2.1.0-DEV. MEDIUM Mar 22, 2022 n/a
CVE-2022-1034 There is a Unrestricted Upload of File vulnerability in ShowDoc v2.10.3 in GitHub repository star7th/showdoc prior to 2.10.4. MEDIUM Mar 22, 2022 n/a
CVE-2022-1033 Unrestricted Upload of File with Dangerous Type in GitHub repository crater-invoice/crater prior to 6.0.6. MEDIUM Mar 23, 2022 n/a
CVE-2022-1032 Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6. MEDIUM Apr 4, 2022 n/a
CVE-2022-1031 Use After Free in op_is_set_bp in GitHub repository radareorg/radare2 prior to 5.6.6. MEDIUM Mar 23, 2022 n/a
CVE-2022-1030 Okta Advanced Server Access Client for Linux and macOS prior to version 1.58.0 was found to be vulnerable to command injection via a specially crafted URL. An attacker, who has knowledge of a valid team name for the victim and also knows a valid target host where the user has access, can execute commands on the local system. HIGH Mar 24, 2022 n/a
CVE-2022-1029 The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) LOW Jun 27, 2022 n/a
CVE-2022-1028 The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) LOW Jun 27, 2022 n/a
CVE-2022-1027 The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users. LOW Apr 25, 2022 n/a
CVE-2022-1026 Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function. MEDIUM Apr 4, 2022 n/a
CVE-2022-1025 All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. HIGH Jul 13, 2022 n/a
CVE-2022-1024 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none -- Nov 7, 2023 n/a
CVE-2022-1023 The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file MEDIUM Apr 15, 2022 n/a
CVE-2022-1022 Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0. LOW Apr 21, 2022 n/a
CVE-2022-1021 Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0. -- Aug 19, 2022 n/a
CVE-2022-1020 The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument HIGH Apr 18, 2022 n/a
CVE-2022-1019 Automated Logic\'s WebCtrl Server Version 6.1 \'Help\' index pages are vulnerable to open redirection. The vulnerability allows an attacker to send a maliciously crafted URL which could result in redirecting the user to a malicious webpage or downloading a malicious file. MEDIUM Apr 20, 2022 n/a
CVE-2022-1018 When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality. MEDIUM Apr 2, 2022 n/a
CVE-2022-1016 A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle \'return\' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker. -- Mar 30, 2022 n/a
CVE-2022-1015 A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue. MEDIUM Apr 30, 2022 n/a
CVE-2022-1014 The WP Contacts Manager WordPress plugin through 2.2.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability. HIGH May 23, 2022 n/a
CVE-2022-1013 The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability. HIGH May 9, 2022 n/a
CVE-2022-1012 A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem. -- May 12, 2022 n/a
CVE-2022-1011 A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. MEDIUM Mar 18, 2022 n/a
CVE-2022-1010 The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) LOW Jun 27, 2022 n/a
CVE-2022-1009 The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file MEDIUM May 31, 2022 n/a
CVE-2022-1008 The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed MEDIUM Apr 15, 2022 n/a
CVE-2022-1007 The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue MEDIUM Apr 14, 2022 n/a
CVE-2022-1006 The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks MEDIUM Apr 14, 2022 n/a
CVE-2022-1005 The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters MEDIUM Jun 8, 2022 n/a
CVE-2022-1004 Accounted time is shown in the Ticket Detail View (External Interface), even if ExternalFrontend::TicketDetailView###AccountedTimeDisplay is disabled. MEDIUM Mar 21, 2022 n/a
CVE-2022-1003 One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads. MEDIUM Mar 18, 2022 n/a
CVE-2022-1002 Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations. LOW Mar 18, 2022 n/a
CVE-2022-1001 The WP Downgrade WordPress plugin before 1.2.3 only perform client side validation of its WordPress Target Version settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed LOW Apr 25, 2022 n/a
CVE-2022-1000 Path Traversal in GitHub repository prasathmani/tinyfilemanager prior to 2.4.7. HIGH Mar 17, 2022 n/a
CVE-2022-0999 An authenticated user may be able to misuse parameters to inject arbitrary operating system commands into mySCADA myPRO versions 8.25.0 and prior. HIGH Apr 12, 2022 n/a
CVE-2022-0998 An integer overflow flaw was found in the Linux kernel’s virtio device driver code in the way a user triggers the vhost_vdpa_config_validate function. This flaw allows a local user to crash or potentially escalate their privileges on the system. HIGH Mar 18, 2022 n/a
CVE-2022-0997 Improper file permissions in the CommandPost, Collector, and Sensor components of Fidelis Network and Deception enables an attacker with local, administrative access to the CLI to modify affected script files, which could result in arbitrary commands being run as root upon subsequent logon by a root user. The vulnerability is present in Fidelis Network and Deception versions prior to 9.4.5. Patches and updates are available to address this vulnerability. HIGH May 18, 2022 n/a
CVE-2022-0996 A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication. MEDIUM Mar 24, 2022 n/a
CVE-2022-0995 An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system. MEDIUM Mar 25, 2022 n/a
CVE-2022-0994 The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed LOW Apr 18, 2022 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online