Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 205876 entries
IDDescriptionPriorityModified date
CVE-2024-0070 Rejected reason: This CVE ID was unused by the CNA. -- Nov 28, 2023
CVE-2024-0069 Rejected reason: This CVE ID was unused by the CNA. -- Nov 28, 2023
CVE-2023-50164 An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue. -- Dec 7, 2023
CVE-2023-50002 Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formRebootMeshNode. -- Dec 7, 2023
CVE-2023-50001 Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formUpgradeMeshOnline. -- Dec 7, 2023
CVE-2023-50000 Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formResetMeshNode. -- Dec 7, 2023
CVE-2023-49999 Tenda W30E V16.01.0.12(4843) was discovered to contain a command injection vulnerability via the function setUmountUSBPartition. -- Dec 7, 2023
CVE-2023-49967 Typecho v1.2.1 was discovered to be vulnerable to an XML Quadratic Blowup attack via the component /index.php/action/xmlrpc. -- Dec 7, 2023
CVE-2023-49958 An issue was discovered in Dalmann OCPP.Core through 1.2.0 for OCPP (Open Charge Point Protocol) for electric vehicles. The server processes mishandle StartTransaction messages containing additional, arbitrary properties, or duplicate properties. The last occurrence of a duplicate property is accepted. This could be exploited to alter transaction records or impact system integrity. -- Dec 7, 2023
CVE-2023-49957 An issue was discovered in Dalmann OCPP.Core before 1.3.0 for OCPP (Open Charge Point Protocol) for electric vehicles. It permits multiple transactions with the same connectorId and idTag, contrary to the expected ConcurrentTx status. This could result in critical transaction management and billing errors. NOTE: the vendor\'s perspective is Imagine you\'ve got two cars in your family and want to charge both in parallel on the same account/token? Why should that be rejected? -- Dec 7, 2023
CVE-2023-49956 An issue was discovered in Dalmann OCPP.Core before 1.3.0 for OCPP (Open Charge Point Protocol) for electric vehicles. A StopTransaction message with any random transactionId terminates active transactions. -- Dec 7, 2023
CVE-2023-49955 An issue was discovered in Dalmann OCPP.Core before 1.2.0 for OCPP (Open Charge Point Protocol) for electric vehicles. It does not validate the length of the chargePointVendor field in a BootNotification message, potentially leading to server instability and a denial of service when processing excessively large inputs. NOTE: the vendor\'s perspective is OCPP.Core is intended for use in a protected environment/network. -- Dec 7, 2023
CVE-2023-49948 Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL. -- Dec 4, 2023
CVE-2023-49947 Forgejo before 1.20.5-1 allows 2FA bypass when docker login uses Basic Authentication. -- Dec 4, 2023
CVE-2023-49946 In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions. -- Dec 4, 2023
CVE-2023-49926 app/Lib/Tools/EventTimelineTool.php in MISP before 2.4.179 allows XSS in the event timeline widget. -- Dec 3, 2023
CVE-2023-49914 InteraXon Muse 2 devices allow remote attackers to cause a denial of service (incorrect Muse App report of an outstanding, calm meditation state) via a 480 MHz RF carrier that is modulated by a false brain wave, aka a Brain-Hack attack. For example, the Muse App does not display the reception of a strong RF carrier, and alert the user that a report may be misleading if this carrier has been modulated by a low-frequency signal. -- Dec 3, 2023
CVE-2023-49897 An OS command injection vulnerability exists in AE1021PE firmware version 2.0.9 and earlier and AE1021 firmware version 2.0.9 and earlier. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product. -- Dec 6, 2023
CVE-2023-49787 Rejected reason: CVE request originates from private repository -- Dec 7, 2023
CVE-2023-49746 Server-Side Request Forgery (SSRF) vulnerability in Softaculous Team SpeedyCache – Cache, Optimization, Performance.This issue affects SpeedyCache – Cache, Optimization, Performance: from n/a through 1.1.2. -- Dec 7, 2023
CVE-2023-49735 ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the \'tiles-test\' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. -- Nov 30, 2023
CVE-2023-49733 Improper Restriction of XML External Entity Reference vulnerability in Apache Cocoon.This issue affects Apache Cocoon: from 2.2.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. -- Nov 30, 2023
CVE-2023-49701 Memory Corruption in SIM management while USIMPhase2init -- Nov 30, 2023
CVE-2023-49700 Security best practices violations, a string operation in Streamingmedia will write past the end of fixed-size destination buffer if the source buffer is too large. -- Nov 30, 2023
CVE-2023-49699 Memory Corruption in IMS while calling VoLTE Streamingmedia Interface -- Nov 30, 2023
CVE-2023-49694 A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM. -- Nov 30, 2023
CVE-2023-49693 NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol (JDWP) listening on port 11611 and it is remotely accessible by unauthenticated users, allowing attackers to execute arbitrary code. -- Nov 30, 2023
CVE-2023-49674 A missing permission check in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. -- Nov 29, 2023
CVE-2023-49673 A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. -- Nov 29, 2023
CVE-2023-49656 Jenkins MATLAB Plugin 2.11.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. -- Nov 29, 2023
CVE-2023-49655 A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system. -- Nov 29, 2023
CVE-2023-49654 Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system. -- Nov 29, 2023
CVE-2023-49653 Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. -- Nov 29, 2023
CVE-2023-49652 Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1. -- Nov 29, 2023
CVE-2023-49620 Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized (which almost used in sql task), with unauthorized access vulnerability (IDOR), but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires user login to operate, please upgrade to version 3.1.0 to avoid this vulnerability -- Nov 30, 2023
CVE-2023-49493 DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the v parameter at selectimages.php. -- Dec 7, 2023
CVE-2023-49492 DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the imgstick parameter at selectimages.php. -- Dec 7, 2023
CVE-2023-49468 Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc. -- Dec 7, 2023
CVE-2023-49467 Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc. -- Dec 7, 2023
CVE-2023-49465 Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc. -- Dec 7, 2023
CVE-2023-49464 libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci. -- Dec 7, 2023
CVE-2023-49463 libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc. -- Dec 7, 2023
CVE-2023-49462 libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc. -- Dec 7, 2023
CVE-2023-49460 libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image. -- Dec 7, 2023
CVE-2023-49448 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via admin/nav/delete. -- Dec 5, 2023
CVE-2023-49447 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/nav/update. -- Dec 5, 2023
CVE-2023-49446 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/nav/save. -- Dec 5, 2023
CVE-2023-49437 Tenda AX12 V22.03.01.46 has been discovered to contain a command injection vulnerability in the \'list\' parameter at /goform/SetNetControlList. -- Dec 7, 2023
CVE-2023-49436 Tenda AX9 V22.03.01.46 has been discovered to contain a command injection vulnerability in the \'list\' parameter at /goform/SetNetControlList. -- Dec 7, 2023
CVE-2023-49435 Tenda AX9 V22.03.01.46 is vulnerable to command injection. -- Dec 7, 2023
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online