Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 187030 entries
IDDescriptionPriorityModified date
CVE-2007-5421 ** REJECT ** Multiple stack-based buffer overflows in Cisco IOS 12.x and IOS XR allow attackers to execute arbitrary code, as demonstrated via the "Bind Shell", "Reverse Shell", and "Two byte rootshell (Tiny Shell)" attacks. NOTE: the vendor and researcher agree that this issue does not cross privilege boundaries, saying they do not "represent a vulnerability." The disclosure was intended to demonstrate techniques for exploitation, which is not covered by CVE. REJECT Dec 31, 2099
CVE-2008-0188 DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its requester. Further investigation showed that it was not a Unchanged security issue. Notes: none. REJECT Dec 31, 2099
CVE-2008-0189 DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its requester. Further investigation showed that it was not a Unchanged security issue. Notes: none. REJECT Dec 31, 2099
CVE-2008-0886 * REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-0882. Reason: This candidate is a duplicate of CVE-2008-0882. Notes: All CVE users should reference CVE-2008-0882 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. REJECT Dec 31, 2099
CVE-2008-0929 DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. REJECT Dec 31, 2099
CVE-2008-6426 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-6426. Reason: This candidate is a duplicate of CVE-2007-6426. Notes: All CVE users should reference CVE-2007-6426 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. REJECT Dec 31, 2099
CVE-2023-43621 An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments. -- Sep 22, 2023
CVE-2023-43620 An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver. -- Sep 22, 2023
CVE-2023-43619 An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file. -- Sep 22, 2023
CVE-2023-43618 An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message. -- Sep 22, 2023
CVE-2023-43617 An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name. -- Sep 22, 2023
CVE-2023-43616 An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction. -- Sep 22, 2023
CVE-2023-43128 D-LINK DIR-806 1200M11AC wireless router DIR806A1_FW100CNb11 is vulnerable to command injection due to lax filtering of HTTP_ST parameters. -- Sep 22, 2023
CVE-2023-42810 systeminformation is a System Information Library for Node.JS. Versions 5.0.0 through 5.21.6 have a SSID Command Injection Vulnerability. The problem was fixed with a parameter check in version 5.21.7. As a workaround, check or sanitize parameter strings that are passed to `wifiConnections()`, `wifiNetworks()` (string only). -- Sep 22, 2023
CVE-2023-42807 Frappe LMS is an open source learning management system. In versions 1.0.0 and prior, on the People Page of LMS, there was an SQL Injection vulnerability. The issue has been fixed in the `main` branch. Users won\'t face this issue if they are using the latest main branch of the app. -- Sep 22, 2023
CVE-2023-42806 Hydra is the layer-two scalability solution for Cardano. Prior to version 0.13.0, not signing and verifying `$\\mathsf{cid}$` allows an attacker (which must be a participant of this head) to use a snapshot from an old head instance with the same participants to close the head or contest the state with it. This can lead to an incorrect distribution of value (= value extraction attack; hard, but possible) or prevent the head to finalize because the value available is not consistent with the closed utxo state (= denial of service; easy). A patch is planned for version 0.13.0. As a workaround, rotate keys between heads so not to re-use keys and not result in the same multi-signature participants. -- Sep 22, 2023
CVE-2023-42805 quinn-proto is a state machine for the QUIC transport protocol. Prior to versions 0.9.5 and 0.10.5, receiving unknown QUIC frames in a QUIC packet could result in a panic. The problem has been fixed in 0.9.5 and 0.10.5 maintenance releases. -- Sep 22, 2023
CVE-2023-42482 Samsung Mobile Processor Exynos 2200 allows a GPU Use After Free. -- Sep 22, 2023
CVE-2023-42458 Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the Add Documents, Images, and Files permission is only assigned to trusted roles. By default, only the Manager has this permission. -- Sep 22, 2023
CVE-2023-42456 Sudo-rs, a memory safe implementation of sudo and su, allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in `/var/run/sudo-rs/ts`. These files are named according to the username from which the sudo attempt is made (the origin user). An issue was discovered in versions prior to 0.2.1 where usernames containing the `.` and `/` characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username `../../../../bin/cp`. When logged in as a user with that name, that user could run `sudo -K` to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of `/bin/cp`. The code then clears that file, resulting in the `cp` binary effectively being removed from the system. An attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames. The issue is patched in version 0.2.1 of sudo-rs. Sudo-rs now uses the uid for the user instead of their username for determining the filename. Note that an upgrade to this version will result in existing session files being ignored and users will be forced to re-authenticate. It also fully eliminates any possibility of path traversal, given that uids are always integer values. The `sudo -K` and `sudo -k` commands can run, even if a user has no sudo access. As a workaround, make sure that one\'s system does not contain any users with a specially crafted username. While this is the case and while untrusted users do not have the ability to create arbitrary users on the system, one should not be able to exploit this issue. -- Sep 22, 2023
CVE-2023-42280 mee-admin 1.5 is vulnerable to Directory Traversal. The download method in the CommonFileController.java file does not verify the incoming data, resulting in arbitrary file reading. -- Sep 22, 2023
CVE-2023-42279 Dreamer CMS 4.1.3 is vulnerable to SQL Injection. -- Sep 22, 2023
CVE-2023-42261 Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. -- Sep 22, 2023
CVE-2023-41993 The issue was addressed with improved checks. This issue is fixed in Safari 16.6.1, macOS Ventura 13.6, OS 17.0.1 and iPadOS 17.0.1, iOS 16.7 and iPadOS 16.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. -- Sep 22, 2023
CVE-2023-41992 The issue was addressed with improved checks. This issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 10.0.1. A local attacker may be able to elevate their privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. -- Sep 22, 2023
CVE-2023-41991 A certificate validation issue was addressed. This issue is fixed in iOS 16.7 and iPadOS 16.7, OS 17.0.1 and iPadOS 17.0.1, watchOS 9.6.3, macOS Ventura 13.6, watchOS 10.0.1. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. -- Sep 22, 2023
CVE-2023-41616 A reflected cross-site scripting (XSS) vulnerability in the Search Student function of Student Management System v1.2.3 and before allows attackers to execute arbitrary Javascript in the context of a victim user\'s browser via a crafted payload. -- Sep 22, 2023
CVE-2023-41614 A stored cross-site scripting (XSS) vulnerability in the Add Animal Details function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description of Animal parameter. -- Sep 22, 2023
CVE-2023-38344 An issue was discovered in Ivanti Endpoint Manager before 2022 SU4. A file disclosure vulnerability exists in the GetFileContents SOAP action exposed via /landesk/managementsuite/core/core.secure/OsdScript.asmx. The application does not sufficiently restrict user-supplied paths, allowing for an authenticated attacker to read arbitrary files from a remote system, including the private key used to authenticate to agents for remote access. -- Sep 22, 2023
CVE-2023-38343 An XXE (XML external entity injection) vulnerability exists in the CSEP component of Ivanti Endpoint Manager before 2022 SU4. External entity references are enabled in the XML parser configuration. Exploitation of this vulnerability can lead to file disclosure or Server Side Request Forgery. -- Sep 22, 2023
CVE-2023-34577 SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method. -- Sep 22, 2023
CVE-2023-34576 SQL injection vulnerability in updatepos.php in PrestaShop opartfaq through 1.0.3 allows remote attackers to run arbitrary SQL commands via unspedified vector. -- Sep 22, 2023
CVE-2023-31719 FUXA <= 1.1.12 is vulnerable to SQL Injection via /api/signin. -- Sep 22, 2023
CVE-2023-31718 FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. -- Sep 22, 2023
CVE-2023-31717 A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database. -- Sep 22, 2023
CVE-2023-31716 FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log -- Sep 22, 2023
CVE-2023-5068 Delta Electronics DIAScreen may write past the end of an allocated buffer while parsing a specially crafted input file. This could allow an attacker to execute code in the context of the current process. -- Sep 22, 2023
CVE-2023-4504 Due to failure in validating the length provided by an attacker-crafted PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023. -- Sep 22, 2023
CVE-2023-43669 The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes). -- Sep 21, 2023
CVE-2023-43637 Due to the implementation of deriveVaultKey, prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be arfoobarfoobarfo. This issue happens because deriveVaultKey calls retrieveCloudKey (which will always return foobarfoobarfoobarfoobarfoobarfo as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see mergeKeys). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage. -- Sep 21, 2023
CVE-2023-43634 When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault” -- Sep 21, 2023
CVE-2023-43633 On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes some debug functions. This could be used to unlock the ssh with custom “authorized_keys” via the “debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before. Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb” key, allowing VNC access via the “app.allow.vnc” key, and more. An attacker could easily enable these debug functionalities without triggering the “measured boot” mechanism implemented by EVE OS, and without marking the device as “UUD” (“Unknown Update Detected”). This is because the “/config” partition is not protected by “measured boot”, it is mutable and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thereby not triggering the “measured boot” mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. -- Sep 21, 2023
CVE-2023-43632 As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options” The communication with this server is done using protobuf, and the data is comprised of 2 parts: 1. Header 2. Data When a connection is made, the server is waiting for 4 bytes of data, which will be the header, and these 4 bytes would be parsed as uint32 size of the actual data to come. Then, in the function “handleRequest” this size is then used in order to allocate a payload on the stack for the incoming data. As this payload is allocated on the stack, this will allow overflowing the stack size allocated for the relevant process with freely controlled data. * An attacker can crash the system. * An attacker can gain control over the system, specifically on the “vtpm_server” process which has very high privileges. -- Sep 21, 2023
CVE-2023-43631 On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. An attacker could easily add their own keys and gain full control over the system without triggering the “measured boot” mechanism implemented by EVE OS, and without marking the device as “UUD” (“Unknown Update Detected”). This is because the “/config” partition is not protected by “measured boot”, it is mutable, and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thus not triggering the “measured boot” mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. -- Sep 21, 2023
CVE-2023-43377 A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter. -- Sep 21, 2023
CVE-2023-43376 A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter. -- Sep 21, 2023
CVE-2023-43375 Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters. -- Sep 21, 2023
CVE-2023-43374 Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php. -- Sep 21, 2023
CVE-2023-43373 Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php. -- Sep 21, 2023
CVE-2023-43371 Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php. -- Sep 21, 2023
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online