Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 156185 entries
IDDescriptionPriorityModified date
CVE-2019-8429 ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. HIGH Mar 20, 2019
CVE-2008-1381 ZoneMinder before 1.23.3 allows remote authenticated users, and possibly unauthenticated attackers in some installations, to execute arbitrary commands via shell metacharacters in a crafted URL. High May 2, 2008
CVE-2008-6756 ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for /etc/zm.conf, which allows local users to obtain the database username and password by reading this file. Low Apr 28, 2009
CVE-2008-6755 ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, which makes it easier for remote attackers to modify this file by accessing it through a (1) PHP or (2) CGI script. Medium Apr 28, 2009
CVE-2020-6013 ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of Windows CVE-2020-00896 on unpatched systems. MEDIUM Jul 6, 2020
CVE-2020-6012 ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems or using symbolic links. This allows an unprivileged user to enable escalation of privilege via local access. LOW Aug 6, 2020
CVE-2008-2349 Zomplog 3.8.2 and earlier allows remote attackers to gain administrative access by creating an admin account via a direct request to install/Unchangeduser.php with the admin parameter set to 1. High May 20, 2008
CVE-2007-5278 Zomplog 3.8.1 and earlier stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to download files that were uploaded by users, as demonstrated by obtaining a directory listing via a direct request to /upload and then retrieving individual files. NOTE: in a non-default configuration, the directory listing is denied, but filenames may be predicable. Medium Oct 9, 2007
CVE-2017-15993 Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter. HIGH Oct 31, 2017
CVE-2021-27485 ZOLL Defibrillator Dashboard, v prior to 2.2,The application allows users to store their passwords in a recoverable format, which could allow an attacker to retrieve the credentials from the web browser. MEDIUM Jun 16, 2021
CVE-2021-27479 ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product’s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users. LOW Jun 16, 2021
CVE-2021-27483 ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user. MEDIUM Jun 16, 2021
CVE-2021-27489 ZOLL Defibrillator Dashboard, v prior to 2.2, The web application allows a non-administrative user to upload a malicious file. This file could allow an attacker to remotely execute arbitrary commands. MEDIUM Jun 16, 2021
CVE-2021-27481 ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products utilize an encryption key in the data exchange process, which is hardcoded. This could allow an attacker to gain access to sensitive information. LOW Jun 16, 2021
CVE-2021-27487 ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products contain credentials stored in plaintext. This could allow an attacker to gain access to sensitive information. LOW Jun 16, 2021
CVE-2013-7395 ZOLL Defibrillator / Monitor X Series has a default (1) supervisor password and (2) service password, which allows physically proximate attackers to modify device configuration and cause a denial of service (adverse human health effects). Medium Aug 13, 2014
CVE-2007-6756 ZOLL Defibrillator / Monitor M Series, E Series, and R Series have a default password for System Configuration mode, which allows physically proximate attackers to modify device configuration and cause a denial of service (adverse human health effects). Medium Aug 13, 2014
CVE-2009-3704 ZoIPer 2.22, and possibly other versions before 2.24 Library 5324, allows remote attackers to cause a denial of service (crash) via a SIP INVITE request with an empty Call-Info header. Medium Oct 19, 2009
CVE-2016-6602 ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit. MEDIUM Feb 7, 2017
CVE-2016-6603 ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. MEDIUM Feb 7, 2017
CVE-2021-42955 Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server Admin account. HIGH Nov 19, 2021
CVE-2021-42956 Zoho Remote Access Plus Server Windows Desktop Binary fixed in 10.1.2132.6 is affected by a sensitive information disclosure vulnerability. Due to improper privilege management, the process launches as the logged in user, so memory dump can be done by non-admin also. Remotely, an attacker can dump all sensitive information including DB Connection string, entire IT infrastructure details, commands executed by IT admin including credentials, secrets, private keys and more. MEDIUM Nov 18, 2021
CVE-2021-42954 Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc. MEDIUM Nov 18, 2021
CVE-2015-4418 Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. Medium Jun 9, 2015
CVE-2015-2959 Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. High Jun 9, 2015
CVE-2022-25373 Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. LOW Apr 5, 2022
CVE-2021-43294 Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. MEDIUM Dec 2, 2021
CVE-2021-43295 Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. MEDIUM Dec 2, 2021
CVE-2021-43296 Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. MEDIUM Dec 2, 2021
CVE-2022-24305 Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation. HIGH Mar 2, 2022
CVE-2022-24306 Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. HIGH Mar 2, 2022
CVE-2022-32551 Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml). MEDIUM Jul 2, 2022
CVE-2021-31530 Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure. MEDIUM Jul 2, 2021
CVE-2021-31531 Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). HIGH Jul 2, 2021
CVE-2021-31160 Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data. MEDIUM Jul 2, 2021
CVE-2021-31159 Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732. MEDIUM Jun 17, 2021
CVE-2021-44675 Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required. HIGH Dec 20, 2021
CVE-2016-4890 ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. MEDIUM Apr 21, 2017
CVE-2016-4889 ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. MEDIUM Apr 21, 2017
CVE-2022-35403 Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.) MEDIUM Jul 13, 2022
CVE-2022-25245 Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation\'s default currency name. MEDIUM Apr 5, 2022
CVE-2021-44526 Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations. MEDIUM Dec 23, 2021
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. HIGH Dec 1, 2021
CVE-2021-37415 Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. HIGH Sep 1, 2021
CVE-2020-35682 Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). MEDIUM Mar 13, 2021
CVE-2020-14048 Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. MEDIUM Jun 12, 2020
CVE-2020-6843 Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. LOW Jan 27, 2020
CVE-2019-15046 Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. MEDIUM Aug 21, 2019
CVE-2015-1480 ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp. Medium Feb 4, 2015
CVE-2019-8394 Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. MEDIUM Mar 20, 2019
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online