Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 92888 entries
IDDescriptionPriorityModified date
CVE-2017-16055 `sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16051 `sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16050 `sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16049 `nodesqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16054 `nodefabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16048 `node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16052 `node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2018-3767 `memjs` versions <= 1.1.0 allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage. MEDIUM Jul 5, 2018
CVE-2017-16046 `mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16045 `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16039 `hftp` is a static http or ftp server `hftp` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 4, 2018
CVE-2017-16037 `gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL. MEDIUM Jun 4, 2018
CVE-2017-16053 `fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16038 `f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. This is compounded by `f2e-server` requiring elevated privileges to run. MEDIUM Jun 4, 2018
CVE-2017-16044 `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018
CVE-2017-16036 `badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 4, 2018
CVE-2014-1858 __init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file. -- Jan 8, 2018
CVE-2016-5674 __debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter. HIGH Aug 31, 2016
CVE-2015-9262 _XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow. -- Aug 1, 2018
CVE-2019-13597 _s_/sprm/_s_/dyn/Player_setScriptFile in Sahi Pro 8.0.0 allows command execution. It allows one to run \".sah\" scripts via Sahi Launcher. Also, one can create a new script with an editor. It is possible to execute commands on the server using the _execute() function. -- Jul 14, 2019
CVE-2018-18065 _set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. MEDIUM Oct 8, 2018
CVE-2008-2682 _RealmAdmin/login.asp in Realm CMS 2.3 and earlier allows remote attackers to bypass authentication and access admin pages via certain modified cookies, probably including (1) cUserRole, (2) cUserName, and (3) cUserID. High Jun 12, 2008
CVE-2008-1099 _macro_Getval in wikimacro.py in MoinMoin 1.5.8 and earlier does not properly enforce ACLs, which allows remote attackers to read protected pages. Medium Mar 5, 2008
CVE-2010-0716 _layouts/Upload.aspx in the Documents module in Microsoft SharePoint before 2010 uses URLs with the same hostname and port number for a web site's primary files and individual users' uploaded files (aka attachments), which allows remote authenticated users to leverage same-origin relationships and conduct cross-site scripting (XSS) attacks by uploading TXT files, a related issue to CVE-2008-5026. NOTE: the vendor disputes the significance of this issue, because cross-domain isolation can be implemented when needed. Low Feb 26, 2010
CVE-2019-7748 _includes\\online.php in DbNinja 3.2.7 allows XSS via the data.php task parameter if _users/admin/tasks.php exists. Medium Feb 11, 2019
CVE-2009-1936 _functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not exit when it is called directly, which allows remote attackers to bypass a protection mechanism to conduct remote file inclusion and directory traversal attacks, ro execute arbitrary PHP code or read arbitrary files, via the GLOBALS[prefix] parameter, a different vector than CVE-2003-1500. Medium Jun 5, 2009
CVE-2018-15563 _core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter. MEDIUM Oct 2, 2018
CVE-2018-16790 _bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer. MEDIUM Sep 10, 2018
CVE-2008-6473 _blogadata/include/init_pass2.php in Blogator-script 0.95 allows remote attackers to change the password for arbitrary users via a modified a parameter with a % wildcard symbol in the b parameter. Medium Mar 16, 2009
CVE-2017-14938 _bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file. Medium Sep 29, 2017
CVE-2017-15225 _bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file. MEDIUM Oct 10, 2017
CVE-2018-11077 \'getlogs\' utility in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1 and 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 is affected by an OS command injection vulnerability. A malicious Avamar admin user may potentially be able to execute arbitrary commands under root privilege. HIGH Nov 26, 2018
CVE-2018-5740 \"deny-answer-aliases\" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c. Affects BIND 9.7.0->9.8.8, 9.9.0->9.9.13, 9.10.0->9.10.8, 9.11.0->9.11.4, 9.12.0->9.12.2, 9.13.0->9.13.2. MEDIUM Jan 16, 2019
CVE-2018-4445 \"Clear History and Website Data\" did not clear the history. The issue was addressed with improved data deletion. This issue affected versions prior to iOS 12.1.1, Safari 12.0.2. MEDIUM Apr 3, 2019
CVE-2017-1000120 [ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter. MEDIUM Oct 4, 2017
CVE-2019-10647 ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file). HIGH Mar 30, 2019
CVE-2018-1000653 zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx. HIGH Aug 20, 2018
CVE-2018-17415 zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter. MEDIUM Mar 7, 2019
CVE-2018-17414 zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter. MEDIUM Mar 7, 2019
CVE-2018-17412 zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header. HIGH Mar 7, 2019
CVE-2018-14962 zzcms 8.3 has stored XSS related to the content variable in user/manage.php and zt/show.php. LOW Aug 6, 2018
CVE-2018-14963 zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI. MEDIUM Aug 6, 2018
CVE-2018-17136 zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header. HIGH Sep 17, 2018
CVE-2018-7434 zzcms 8.2 allows remote attackers to discover the full path via a direct request to 3/qq_connect2.0/API/class/ErrorCase.class.php or 3/ucenter_api/code/friend.php. MEDIUM Feb 23, 2018
CVE-2019-9078 zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT. LOW Feb 24, 2019
CVE-2018-9129 ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections. MEDIUM Aug 15, 2018
CVE-2017-17550 ZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a CSRF vulnerability via a cgi-bin/zysh-cgi cmd action to add a user account. This account\'s access could, for example, subsequently be used for stored XSS. MEDIUM Nov 10, 2018
CVE-2008-1160 ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges. High Mar 24, 2008
CVE-2017-7964 Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process. HIGH Apr 19, 2017
CVE-2019-7391 ZyXEL VMG3312-B10B DSL-491HNU-B1B v2 devices allow login/login-page.cgi CSRF. MEDIUM Mar 21, 2019
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online