Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 187172 entries
IDDescriptionPriorityModified date
CVE-1999-0095 The debug command in Sendmail is enabled, allowing attackers to execute commands as root. HIGH Jun 11, 2019
CVE-1999-0145 Sendmail WIZ command enabled, allowing root access. HIGH Jun 11, 2019
CVE-1999-0199 manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a statement about the unspecified tdelete return value upon deletion of a tree\'s root, which might allow attackers to access a dangling pointer in an application whose developer was unaware of a documentation update from 1999. HIGH Oct 6, 2020
CVE-1999-1170 IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the \"flags\" registry key to 1920. MEDIUM Aug 13, 2019
CVE-1999-1171 IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the \"flags\" registry key to 1920. MEDIUM Aug 13, 2019
CVE-1999-1593 Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable. High Jan 15, 2009
CVE-2000-1245 Multiple unspecified vulnerabilities in NWFTPD.nlm before 5.01o in the FTP server in Novell NetWare 5.1 SP3 allow remote attackers to bypass intended restrictions on anonymous access via unknown vectors. High Apr 5, 2010
CVE-2000-1246 NWFTPD.nlm before 5.01o in the FTP server in Novell NetWare 5.1 SP3 allows remote authenticated users to cause a denial of service (abend) by sending an RNTO command after a failed RNFR command. Low Apr 5, 2010
CVE-2000-1247 The default configuration of the jserv-status handler in jserv.conf in Apache JServ 1.1.2 includes an allow from 127.0.0.1 line, which allows local users to discover JDBC passwords or other sensitive information via a direct request to the jserv/ URI. Low Oct 5, 2011
CVE-2000-1254 crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging improper RSA key generation on 64-bit HP-UX platforms. Medium May 6, 2016
CVE-2001-1021 Buffer overflows in WS_FTP 2.02 allow remote attackers to execute arbitrary code via long arguments to (1) DELE, (2) MDTM, (3) MLST, (4) MKD, (5) RMD, (6) RNFR, (7) RNTO, (8) SIZE, (9) STAT, (10) XMKD, or (11) XRMD. HIGH Aug 13, 2019
CVE-2001-1586 Directory traversal vulnerability in SimpleServer:WWW 1.13 and earlier allows remote attackers to execute arbitrary programs via encoded ../ (%2E%2E%2F%) sequences in a request to the cgi-bin/ directory, a different vulnerability than CVE-2000-0664. High Feb 15, 2010
CVE-2001-1587 NWFTPD.nlm before 5.01w in the FTP server in Novell NetWare allows remote attackers to cause a denial of service (abend) via an anonymous STOU command. Medium Apr 5, 2010
CVE-2001-1593 The tempname_ensure function lib/routines.h in a2ps 4.14 and earlier, as used by the spy_user function and possibly other functions, allows local users to modify arbitrary files via a symlink attack on a temporary file. Low Apr 7, 2014
CVE-2001-1594 GE Healthcare eNTEGRA P&R has a password of (1) entegra for the entegra user, (2) passme for the super user of the Polestar/Polestar-i Starlink 4 upgrade, (3) 0 for the entegra user of the Codonics printer FTP service, (4) eNTEGRA for the eNTEGRA P&R user account, (5) insite for the WinVNC Login, and possibly other accounts, which has unspecified impact and attack vectors. NOTE: it is not clear whether this password is default, hardcoded, or dependent on another system or product that requires a fixed value. High Aug 11, 2015
CVE-2002-0390 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. -- Jul 21, 2019
CVE-2002-0471 PHPNetToolpack 0.1 allows remote attackers to execute arbitrary code via shell metacharacters in the a_query variable. High Sep 24, 2008
CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux. LOW Sep 5, 2008
CVE-2002-0806 Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, allows authenticated users with editing privileges to delete other users by directly calling the editusers.cgi script with the del option. Low Sep 5, 2008
CVE-2002-0811 Bugzilla 2.14 before 2.14.2, and 2.16 before 2.16rc2, may allow remote attackers to cause a denial of service or execute certain queries via a SQL injection attack on the sort order parameter to buglist.cgi. High Feb 11, 2009
CVE-2002-0826 Buffer overflow in WS_FTP FTP Server 3.1.1 allows remote authenticated users to execute arbitrary code via a long SITE CPWD command. HIGH Aug 13, 2019
CVE-2002-2427 The security handler in GoAhead WebServer before 2.1.1 allows remote attackers to bypass authentication and obtain access to protected web content via an extra slash in a URL, a different vulnerability than CVE-2002-1603. Medium Feb 6, 2009
CVE-2002-2428 webs.c in GoAhead WebServer before 2.1.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an HTTP POST request that contains a Content-Length header but no body data. Medium Feb 6, 2009
CVE-2002-2429 webs.c in GoAhead WebServer before 2.1.4 allows remote attackers to cause a denial of service (daemon crash) via an HTTP POST request that contains a negative integer in the Content-Length header. Medium Feb 6, 2009
CVE-2002-2430 GoAhead WebServer before 2.1.1 allows remote attackers to cause a denial of service (CPU consumption) by performing a socket disconnect to terminate a request before it has been fully processed by the server. Medium Feb 6, 2009
CVE-2002-2431 Unspecified vulnerability in GoAhead WebServer before 2.1.4 allows remote attackers to cause incorrect behavior via unknown malicious code, related to incorrect use of the socketInputBuffered function by sockGen.c. High Feb 9, 2009
CVE-2002-2432 Unspecified vulnerability in NWFTPD.nlm before 5.03b in the FTP server in Novell NetWare allows remote attackers to cause a denial of service (abend) via a crafted username. Medium Apr 5, 2010
CVE-2002-2433 NWFTPD.nlm before 5.03b in the FTP server in Novell NetWare allows remote authenticated users to cause a denial of service (abend) via a crafted ABOR command. Medium Apr 5, 2010
CVE-2002-2434 NWFTPD.nlm before 5.02i in the FTP server in Novell NetWare does not properly listen for data connections, which allows remote attackers to cause a denial of service (abend) via multiple FTP sessions. Medium Apr 5, 2010
CVE-2002-2435 The Cascading Style Sheets (CSS) implementation in Microsoft Internet Explorer 8.0 and earlier does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264. Medium Dec 8, 2011
CVE-2002-2436 The Cascading Style Sheets (CSS) implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264. Medium Dec 8, 2011
CVE-2002-2437 The JavaScript implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method. Medium Dec 8, 2011
CVE-2002-2438 TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. RST flag) set, which was not correctly discarded by the Linux TCP stack after firewalling. MEDIUM May 18, 2021
CVE-2002-2439 Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts. MEDIUM Oct 31, 2019
CVE-2002-2443 schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. Medium May 31, 2013
CVE-2002-2444 Snoopy before 2.0.0 has a security hole in exec cURL HIGH Oct 30, 2019
CVE-2002-2445 GE Healthcare Millennium MG, NC, and MyoSIGHT has a default password of (1) root.genie for the root user, (2) service. for the service user, (3) admin.genie for the admin user, (4) reboot for the reboot user, and (5) shutdown for the shutdwon user, which has unspecified impact and attack vectors. High Aug 6, 2015
CVE-2002-2446 GE Healthcare Millennium MG, NC, and MyoSIGHT has a password of insite.genieacq for the insite account that cannot be changed without disabling product functionality for remote InSite support, which has unspecified impact and attack vectors. High Aug 4, 2015
CVE-2002-20001 The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE. MEDIUM Nov 12, 2021
CVE-2003-0367 znew in the gzip package allows local users to overwrite arbitrary files via a symlink attack on temporary files. LOW May 23, 2019
CVE-2003-0772 Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments. HIGH Aug 13, 2019
CVE-2003-1566 Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection. Medium Jan 16, 2009
CVE-2003-1567 The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE. Medium Jan 16, 2009
CVE-2003-1568 GoAhead WebServer before 2.1.6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an invalid URL, related to the websSafeUrl function. Medium Feb 9, 2009
CVE-2003-1569 GoAhead WebServer before 2.1.5 on Windows 95, 98, and ME allows remote attackers to cause a denial of service (daemon crash) via an HTTP request with a (1) con, (2) nul, (3) clock$, or (4) config$ device name in a path component, different vectors than CVE-2001-0385. Medium Feb 9, 2009
CVE-2003-1570 The server in IBM Tivoli Storage Manager (TSM) 5.1.x, 5.2.x before 5.2.1.2, and 6.x before 6.1 does not require credentials to observe the server console in some circumstances, which allows remote authenticated administrators to monitor server operations by establishing a console mode session, related to session exposure. Low Apr 8, 2009
CVE-2003-1571 Web Wiz Guestbook 6.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database and obtain sensitive information via a direct request for database/WWGguestbook.mdb. NOTE: it was later reported that 8.21 is also affected. Medium Apr 2, 2009
CVE-2003-1572 Sun Java Media Framework (JMF) 2.1.1 through 2.1.1c allows unsigned applets to cause a denial of service (JVM crash) and read or write unauthorized memory locations via the ReadEnv class, as demonstrated by reading environment variables using modified .data and .size fields. High Jun 2, 2009
CVE-2003-1573 The PointBase 4.6 database component in the J2EE 1.4 reference implementation (J2EE/RI) allows remote attackers to execute arbitrary programs, conduct a denial of service, and obtain sensitive information via a crafted SQL statement, related to inadequate security settings and library bugs in sun.* and org.apache.* packages. High Jun 2, 2009
CVE-2003-1574 TikiWiki 1.6.1 allows remote attackers to bypass authentication by entering a valid username with an arbitrary password, possibly related to the Internet Explorer Remember Me feature. NOTE: some of these details are obtained from third party information. High Aug 26, 2009
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online