Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 139359 entries
IDDescriptionPriorityModified date
CVE-2021-44518 An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. The code is sent unencrypted, allowing any attacker with the same app (either Android or iOS) to add the lock and take complete control. For successful exploitation, the attacker must be able to touch the lock\'s power button, and must be able to capture BLE network communication. -- Dec 2, 2021
CVE-2021-44480 Wokka Lokka Q50 devices through 2021-11-30 allow remote attackers (who know the SIM phone number and password) to listen to a device\'s surroundings via a callback in an SMS command, as demonstrated by the 123456 and 523681 default passwords. -- Dec 1, 2021
CVE-2021-44479 NXP Kinetis K82 devices have a buffer over-read via a crafted wlength value in a GET Status-Other request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory. LOW Dec 4, 2021
CVE-2021-44429 Serva 4.4.0 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1, a related issue to CVE-2013-0145. MEDIUM Nov 30, 2021
CVE-2021-44428 Pinkie 2.15 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1. MEDIUM Nov 30, 2021
CVE-2021-44427 An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter. HIGH Nov 30, 2021
CVE-2021-44352 A Stack-based Buffer Overflow vlnerability exists in the Tenda AC15 V15.03.05.18_multi device via the list parameter in a post request in goform/SetIpMacBind. -- Dec 3, 2021
CVE-2021-44349 SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameter in App\\Manage\\Controller\\DownloadController.class.php. -- Dec 3, 2021
CVE-2021-44348 SQL Injection vulnerability exists in TuziCMS v2.0.6 via the id parameer in App\\Manage\\Controller\\AdvertController.class.php. -- Dec 3, 2021
CVE-2021-44347 SQL Injection vulnerability exists in TuziCMS v2.0.6 in App\\Manage\\Controller\\GuestbookController.class.php. -- Dec 3, 2021
CVE-2021-44280 attendance management system 1.0 is affected by a SQL injection vulnerability in admin/incFunctions.php through the makeSafe function. HIGH Dec 2, 2021
CVE-2021-44279 Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/forms/poller-groups.inc.php. MEDIUM Dec 3, 2021
CVE-2021-44278 Librenms 21.11.0 is affected by a path manipulation vulnerability in includes/html/pages/device/showconfig.inc.php. -- Dec 3, 2021
CVE-2021-44277 Librenms 21.11.0 is affected by a Cross Site Scripting (XSS) vulnerability in includes/html/common/alert-log.inc.php. MEDIUM Dec 3, 2021
CVE-2021-44230 PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows has weak file permissions for the embedded H2 database, which might lead to privilege escalation. This issue can be exploited by an adversary who has already compromised a valid Windows account on the server via separate means. In this scenario, the compromised account may have inherited read access to sensitive configuration, database, and log files. MEDIUM Dec 1, 2021
CVE-2021-44227 In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes. MEDIUM Dec 3, 2021
CVE-2021-44225 In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property MEDIUM Nov 26, 2021
CVE-2021-44223 WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory. HIGH Nov 26, 2021
CVE-2021-44219 Gin-Vue-Admin before 2.4.6 mishandles a SQL database. HIGH Nov 26, 2021
CVE-2021-44203 Stored cross-site scripting (XSS) was possible in protection plan details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 LOW Nov 30, 2021
CVE-2021-44202 Stored cross-site scripting (XSS) was possible in activity details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 LOW Nov 30, 2021
CVE-2021-44201 Cross-site scripting (XSS) was possible in notification pop-ups. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 MEDIUM Nov 30, 2021
CVE-2021-44200 Self cross-site scripting (XSS) was possible on devices page. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 LOW Nov 30, 2021
CVE-2021-44199 DLL hijacking could lead to denial of service. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27305, Acronis Cyber Protect Home Office (Windows) before build 39612 LOW Nov 30, 2021
CVE-2021-44198 DLL hijacking could lead to local privilege escalation. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035 MEDIUM Nov 30, 2021
CVE-2021-44150 The client in tusdotnet through 2.5.0 relies on SHA-1 to prevent spoofing of file content. MEDIUM Nov 26, 2021
CVE-2021-44147 An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks. MEDIUM Nov 23, 2021
CVE-2021-44144 Croatia Control Asterix 2.8.1 has a heap-based buffer over-read, with additional details to be disclosed at a later date. MEDIUM Nov 24, 2021
CVE-2021-44143 A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that starts with an empty line) to provoke a heap overflow, which could conceivably be exploited for remote code execution. HIGH Nov 27, 2021
CVE-2021-44140 Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later. MEDIUM Nov 24, 2021
CVE-2021-44094 ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file MEDIUM Nov 28, 2021
CVE-2021-44093 A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell HIGH Nov 28, 2021
CVE-2021-44079 In the wazuh-slack active response script in Wazuh before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution. HIGH Nov 26, 2021
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. HIGH Dec 1, 2021
CVE-2021-44050 CA Network Flow Analysis (NFA) 21.2.1 and earlier contain a SQL injection vulnerability in the NFA web application, due to insufficient input validation, that could potentially allow an authenticated user to access sensitive data. -- Dec 3, 2021
CVE-2021-44048 An out-of-bounds write vulnerability exists when reading a TIF file using Open Design Alliance (ODA) Drawings Explorer before 2022.11. The specific issue exists after loading TIF files. Crafted data in a TIF file can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. -- Dec 5, 2021
CVE-2021-44047 A use-after-free vulnerability exists when reading a DWF/DWFX file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists with parsing DWF/DWFX files. Crafted data in a DWF/DWFX file and lack of proper validation of input data can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. -- Dec 5, 2021
CVE-2021-44046 An out-of-bounds write vulnerability exists when reading U3D files in Open Design Alliance PRC SDK before 2022.11. An unchecked return value of a function (verifying input data from a U3D file) leads to an out-of-bounds write. An attacker can leverage this vulnerability to execute code in the context of the current process. -- Dec 5, 2021
CVE-2021-44045 An out-of-bounds write vulnerability exists when reading a DGN file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists within the parsing of DGN files. Crafted data in a DGN file and lack of proper validation for the XFAT sectors count can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. -- Dec 5, 2021
CVE-2021-44044 An out-of-bounds write vulnerability exists when reading a JPG file using Open Design Alliance Drawings SDK before 2022.11. The specific issue exists with parsing JPG files. Crafted data in a JPG (4 extraneous bytes before the marker 0xca) can trigger a write operation past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. -- Dec 5, 2021
CVE-2021-44038 An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod operations in the suggested spec file allow users (with control of the non-root-owned directory /etc/quagga) to escalate their privileges to root upon package installation or update. HIGH Nov 19, 2021
CVE-2021-44037 Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning. MEDIUM Nov 19, 2021
CVE-2021-44036 Team Password Manager (aka TeamPasswordManager) before 10.135.236 has a CSRF vulnerability during import. MEDIUM Nov 19, 2021
CVE-2021-44033 In Ionic Identity Vault before 5.0.5, the protection mechanism for invalid unlock attempts can be bypassed. MEDIUM Nov 19, 2021
CVE-2021-44026 Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. HIGH Nov 19, 2021
CVE-2021-44025 Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment\'s filename extension when displaying a MIME type warning message. MEDIUM Nov 19, 2021
CVE-2021-44022 A reachable assertion vulnerability in Trend Micro Apex One could allow an attacker to crash the program on affected installations, leading to a denial-of-service (DoS). Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. -- Dec 3, 2021
CVE-2021-44021 An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44019 and 44020. -- Dec 3, 2021
CVE-2021-44020 An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44019 and 44021. -- Dec 3, 2021
CVE-2021-44019 An unnecessary privilege vulnerability in Trend Micro Worry-Free Business Security 10.0 SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to but not identical to CVE-2021-44020 and 44021. -- Dec 3, 2021
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online