Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 139359 entries
IDDescriptionPriorityModified date
CVE-2021-4018 snipe-it is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') LOW Dec 2, 2021
CVE-2021-4017 showdoc is vulnerable to Cross-Site Request Forgery (CSRF) MEDIUM Dec 2, 2021
CVE-2021-4015 firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) MEDIUM Dec 2, 2021
CVE-2021-3994 django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') MEDIUM Dec 2, 2021
CVE-2021-3993 showdoc is vulnerable to Cross-Site Request Forgery (CSRF) MEDIUM Dec 2, 2021
CVE-2021-3992 kimai2 is vulnerable to Improper Access Control MEDIUM Dec 2, 2021
CVE-2021-3990 showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) MEDIUM Dec 2, 2021
CVE-2021-3989 showdoc is vulnerable to URL Redirection to Untrusted Site MEDIUM Dec 2, 2021
CVE-2021-3985 kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') MEDIUM Dec 2, 2021
CVE-2021-3983 kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') MEDIUM Dec 2, 2021
CVE-2021-3964 elgg is vulnerable to Authorization Bypass Through User-Controlled Key MEDIUM Dec 2, 2021
CVE-2020-29176 An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file. -- Dec 2, 2021
CVE-2021-44480 Wokka Lokka Q50 devices through 2021-11-30 allow remote attackers (who know the SIM phone number and password) to listen to a device\'s surroundings via a callback in an SMS command, as demonstrated by the 123456 and 523681 default passwords. -- Dec 1, 2021
CVE-2021-44230 PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows has weak file permissions for the embedded H2 database, which might lead to privilege escalation. This issue can be exploited by an adversary who has already compromised a valid Windows account on the server via separate means. In this scenario, the compromised account may have inherited read access to sensitive configuration, database, and log files. MEDIUM Dec 1, 2021
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. HIGH Dec 1, 2021
CVE-2021-43790 Lucet is a native WebAssembly compiler and runtime. There is a bug in the main branch of `lucet-runtime` affecting all versions published to crates.io that allows a use-after-free in an Instance object that could result in memory corruption, data race, or other related issues. This bug was introduced early in the development of Lucet and is present in all releases. As a result of this bug, and dependent on the memory backing for the Instance objects, it is possible to trigger a use-after-free when the Instance is dropped. Users should upgrade to the main branch of the Lucet repository. Lucet no longer provides versioned releases on crates.io. There is no way to remediate this vulnerability without upgrading. MEDIUM Dec 1, 2021
CVE-2021-43783 @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. In affected versions a malicious actor with write access to a registered scaffolder template is able to manipulate the template in a way that writes files to arbitrary paths on the scaffolder-backend host instance. This vulnerability can in some situation also be exploited through user input when executing a template, meaning you do not need write access to the templates. This method will not allow the attacker to control the contents of the injected file however, unless the template is also crafted in a specific way that gives control of the file contents. This vulnerability is fixed in version `0.15.14` of the `@backstage/plugin-scaffolder-backend`. This attack is mitigated by restricting access and requiring reviews when registering or modifying scaffolder templates. MEDIUM Dec 1, 2021
CVE-2021-43698 phpWhois (last update Jun 30 2021) is affected by a Cross Site Scripting (XSS) vulnerability. In file example.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET[\'query\'] then there is a XSS vulnerability. MEDIUM Dec 1, 2021
CVE-2021-43697 Workerman-ThinkPHP-Redis (last update Mar 16, 2018) is affected by a Cross Site Scripting (XSS) vulnerability. In file Controller.class.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET{C(\'VAR_JSONP_HANDLER\')] then there is a XSS vulnerability. MEDIUM Dec 1, 2021
CVE-2021-43696 twmap v2.91_v4.33 is affected by a Cross Site Scripting (XSS) vulnerability. In file list.php, the exit function will terminate the script and print the message to the user. The message will contain $_REQUEST then there is a XSS vulnerability. MEDIUM Dec 1, 2021
CVE-2021-43695 issabelPBX version 2.11 is affected by a Cross Site Scripting (XSS) vulnerability. In file page.backup_restore.php, the exit function will terminate the script and print the message to the user. The message will contain $_REQUEST without sanitization, then there is a XSS vulnerability. MEDIUM Dec 1, 2021
CVE-2021-43692 youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php. MEDIUM Dec 1, 2021
CVE-2021-43691 tripexpress v1.1 is affected by a path manipulation vulnerability in file system/helpers/dompdf/load_font.php. The variable src is coming from $_SERVER[argv] then there is a path manipulation vulnerability. HIGH Dec 1, 2021
CVE-2021-43202 In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. HIGH Dec 1, 2021
CVE-2021-42564 An open redirect through HTML injection in confidential messages in Cryptshare before 5.1.0 allows remote attackers (with permission to provide confidential messages via Cryptshare) to redirect targeted victims to any URL via the \'<meta http-equiv=refresh\' substring in the editor parameter. MEDIUM Dec 1, 2021
CVE-2021-42365 The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. LOW Dec 1, 2021
CVE-2021-42364 The Stetic WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the stats_page function found in the ~/stetic.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.0.6. MEDIUM Dec 1, 2021
CVE-2021-42358 The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the ~/cfwc-form.php file during contact form submission, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.6.2. MEDIUM Dec 1, 2021
CVE-2021-40154 NXP LPC55S69 devices before A3 have a buffer over-read via a crafted wlength value in a GET Descriptor Configuration request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory. -- Dec 1, 2021
CVE-2021-40101 An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user\'s password to be changed without a prompt for the current password. MEDIUM Dec 1, 2021
CVE-2021-36328 Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database. MEDIUM Dec 1, 2021
CVE-2021-36327 Dell EMC Streaming Data Platform versions before 1.3 contain a Server Side Request Forgery Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to perform port scanning of internal networks and make HTTP requests to an arbitrary domain of the attacker\'s choice. MEDIUM Dec 1, 2021
CVE-2021-36326 Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format. MEDIUM Dec 1, 2021
CVE-2021-26612 An improper input validation leading to arbitrary file creation was discovered in copy method of Nexacro platform. Remote attackers use copy method to execute arbitrary command after the file creation included malicious code. HIGH Dec 1, 2021
CVE-2021-22095 In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message MEDIUM Dec 1, 2021
CVE-2021-20858 Cross-site scripting vulnerability in ELECOM LAN router WRC-2533GHBK-I firmware v1.20 and prior allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. LOW Dec 1, 2021
CVE-2021-4028 kernel: use-after-free in RDMA listen() -- Dec 1, 2021
CVE-2021-4026 bookstack is vulnerable to Improper Access Control MEDIUM Dec 1, 2021
CVE-2021-3769 # Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme. HIGH Dec 1, 2021
CVE-2021-3727 # Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they\'re an external API, it\'s not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function). HIGH Dec 1, 2021
CVE-2020-7880 The vulnerabilty was discovered in ActiveX module related to NeoRS remote support program. This issue allows an remote attacker to download and execute remote file. It is because of improper parameter validation of StartNeoRS function in ActiveX. HIGH Dec 1, 2021
CVE-2020-7879 This issue was discovered when the ipTIME C200 IP Camera was synchronized with the ipTIME NAS. It is necessary to extract value for ipTIME IP camera because the ipTIME NAS send ans setCookie(\'[COOKIE]\') . The value is transferred to the --header option in wget binary, and there is no validation check. This vulnerability allows remote attackers to execute remote command. MEDIUM Dec 1, 2021
CVE-2021-44429 Serva 4.4.0 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1, a related issue to CVE-2013-0145. MEDIUM Nov 30, 2021
CVE-2021-44428 Pinkie 2.15 allows remote attackers to cause a denial of service (daemon crash) via a TFTP read (RRQ) request, aka opcode 1. MEDIUM Nov 30, 2021
CVE-2021-44427 An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter. HIGH Nov 30, 2021
CVE-2021-44203 Stored cross-site scripting (XSS) was possible in protection plan details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 LOW Nov 30, 2021
CVE-2021-44202 Stored cross-site scripting (XSS) was possible in activity details. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 LOW Nov 30, 2021
CVE-2021-44201 Cross-site scripting (XSS) was possible in notification pop-ups. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 MEDIUM Nov 30, 2021
CVE-2021-44200 Self cross-site scripting (XSS) was possible on devices page. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 28035 LOW Nov 30, 2021
CVE-2021-44199 DLL hijacking could lead to denial of service. The following products are affected: Acronis Cyber Protect 15 (Windows) before build 28035, Acronis Agent (Windows) before build 27305, Acronis Cyber Protect Home Office (Windows) before build 39612 LOW Nov 30, 2021
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online