Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 153501 entries
IDDescriptionPriorityModified date
CVE-2017-20068 A vulnerability was found in Hindu Matrimonial Script. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/usermanagement.php. The manipulation leads to improper privilege management. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. -- Jun 21, 2022
CVE-2017-20067 A vulnerability was found in Hindu Matrimonial Script. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/. The manipulation of the argument username/password with the input \'or\'\'=\' leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. -- Jun 21, 2022
CVE-2017-20066 A vulnerability has been found in Adminer Login 1.4.4 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to improper access controls. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. -- Jun 21, 2022
CVE-2017-20065 A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. -- Jun 21, 2022
CVE-2013-1916 In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved. -- Jun 24, 2022
CVE-2013-1891 In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed. -- Jun 24, 2022
CVE-2022-30632 This is a PRIVATE issue tracked in b/226945200 and fixed by http://tg/1423262. -- Jun 20, 2022
CVE-2022-30630 This is a PRIVATE issue tracked in b/231318890 and fixed by http://tg/1422952. -- Jun 20, 2022
CVE-2022-2122 Potential heap overwrite in the qt demuxer when handling certain QuickTime/MP4 files in GStreamer versions before 1.20.3. -- Jun 20, 2022
CVE-2022-2078 kernel: Vulnerability of buffer overflow in nft_set_desc_concat_parse() -- Jun 16, 2022
CVE-2022-2011 Use after free in ANGLE. -- Jun 14, 2022
CVE-2022-2010 Out of bounds read in compositing. -- Jun 14, 2022
CVE-2022-2008 Out of bounds memory access in WebGL. -- Jun 14, 2022
CVE-2022-2007 Use after free in WebGPU. -- Jun 14, 2022
CVE-2022-1976 kernel: a use-after-free in __lock_acquire may lead to a crash -- Jun 15, 2022
CVE-2022-1925 DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression -- Jun 17, 2022
CVE-2022-1924 DOS / potential heap overwrite in mkv demuxing using lzo decompression -- Jun 17, 2022
CVE-2022-1923 Potential heap overwrite in the mkv demuxer when handling certain Matroska/WebM files in GStreamer versions before 1.20.3. -- Jun 17, 2022
CVE-2022-1922 Potential heap overwrite in the mkv demuxer when handling certain Matroska/WebM files in GStreamer versions before 1.20.3. -- Jun 17, 2022
CVE-2022-1921 videmux: Fix integer overflow resulting in heap corruption in DIB buffer inversion code -- Jun 17, 2022
CVE-2022-1920 atroskademux: Avoid integer-overflow resulting in heap corruption in WavPack header handling code -- Jun 17, 2022
CVE-2022-34006 An issue was discovered in TitanFTP (aka Titan FTP) NextGen before 1.2.1050. When installing, Microsoft SQL Express 2019 installs by default with an SQL instance running as SYSTEM with BUILTIN\\Users as sysadmin, thus enabling unprivileged Windows users to execute commands locally as NT AUTHORITY\\SYSTEM, aka NX-I674 (sub-issue 2). NOTE: as of 2022-06-21, the 1.2.1050 release corrects this vulnerability in a new installation, but not in an upgrade installation. -- Jun 19, 2022
CVE-2022-34005 An issue was discovered in TitanFTP (aka Titan FTP) NextGen before 1.2.1050. There is Remote Code Execution due to a hardcoded password for the sa account on the Microsoft SQL Express 2019 instance installed by default during TitanFTP NextGen installation, aka NX-I674 (sub-issue 1). NOTE: as of 2022-06-21, the 1.2.1050 release corrects this vulnerability in a new installation, but not in an upgrade installation. -- Jun 19, 2022
CVE-2022-34000 libjxl 0.6.1 has an assertion failure in LowMemoryRenderPipeline::Init() in render_pipeline/low_memory_render_pipeline.cc. -- Jun 19, 2022
CVE-2022-33987 The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket. -- Jun 18, 2022
CVE-2022-33981 drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function. -- Jun 18, 2022
CVE-2022-33915 Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID. -- Jun 17, 2022
CVE-2022-33912 A permission issue affects users that deployed the shipped version of the Checkmk Debian package. Packages created by the agent bakery (enterprise editions only) were not affected. Using the shipped version of the agents, the maintainer scripts located at /var/lib/dpkg/info/ will be owned by the user and the group with ID 1001. If such a user exists on the system, they can change the content of these files (which are then executed by root). This leads to a local privilege escalation on the monitored host. Version 1.6 through 1.6.9p29, version 2.0 through 2.0.0p26, version 2.1 through 2.1.0p3, and version 2.2.0i1 are affected. -- Jun 17, 2022
CVE-2022-33756 CA Automic Automation 12.2 and 12.3 contain an entropy weakness vulnerability in the Automic AutomationEngine that could allow a remote attacker to potentially access sensitive data. -- Jun 17, 2022
CVE-2022-33755 CA Automic Automation 12.2 and 12.3 contain an insecure input handling vulnerability in the Automic Agent that could allow a remote attacker to potentially enumerate users. -- Jun 17, 2022
CVE-2022-33754 CA Automic Automation 12.2 and 12.3 contain an insufficient input validation vulnerability in the Automic agent that could allow a remote attacker to potentially execute arbitrary code. -- Jun 17, 2022
CVE-2022-33753 CA Automic Automation 12.2 and 12.3 contain an insecure file creation and handling vulnerability in the Automic agent that could allow a user to potentially elevate privileges. -- Jun 17, 2022
CVE-2022-33752 CA Automic Automation 12.2 and 12.3 contain an insufficient input validation vulnerability in the Automic agent that could allow a remote attacker to potentially execute arbitrary code. -- Jun 17, 2022
CVE-2022-33751 CA Automic Automation 12.2 and 12.3 contain an insecure memory handling vulnerability in the Automic agent that could allow a remote attacker to potentially access sensitive data. -- Jun 17, 2022
CVE-2022-33750 CA Automic Automation 12.2 and 12.3 contain an authentication error vulnerability in the Automic agent that could allow a remote attacker to potentially execute arbitrary commands. -- Jun 17, 2022
CVE-2022-33739 CA Clarity 15.8 and below and 15.9.0 contain an insecure XML parsing vulnerability that could allow a remote attacker to potentially view the contents of any file on the system. -- Jun 17, 2022
CVE-2022-33175 Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 have an insecure permissions setting on the user.token field that is accessible to everyone through the /cgi/get_param.cgi HTTP API. This leads to disclosing active session ids of currently logged-in administrators. The session id can then be reused to act as the administrator, allowing reading of the cleartext password, or reconfiguring the device. -- Jun 13, 2022
CVE-2022-33174 Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface (/cgi/get_param.cgi) with the tmpToken cookie set to an empty string followed by a semicolon. This bypasses an active session authorization check. This can be then used to fetch the values of protected sys.passwd and sys.su.name fields that contain the username and password in cleartext. -- Jun 13, 2022
CVE-2022-32547 In ImageMagick, there is load of misaligned address for type \'double\', which requires 8 byte alignment and for type \'float\', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior. -- Jun 16, 2022
CVE-2022-32546 A vulnerability was found in ImageMagick, causing an outside the range of representable values of type \'unsigned long\' at coders/pcl.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior. -- Jun 16, 2022
CVE-2022-32545 A vulnerability was found in ImageMagick, causing an outside the range of representable values of type \'unsigned char\' at coders/psd.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior. -- Jun 16, 2022
CVE-2022-32444 An issue was discovered in u5cms verion 8.3.5 There is a URL redirection vulnerability that can cause a user\'s browser to be redirected to another site via /loginsave.php. -- Jun 17, 2022
CVE-2022-32442 u5cms version 8.3.5 is vulnerable to Cross Site Scripting (XSS). When a user accesses the default home page if the parameter passed in is http://127.0.0.1/? Onmouseover=%27tzgl (96502)%27bad=, it can cause html injection. -- Jun 17, 2022
CVE-2022-32278 XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server. -- Jun 14, 2022
CVE-2022-32276 ** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability. -- Jun 17, 2022
CVE-2022-31941 Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via \\rdms\\admin?page=user\\manage_user&id=. -- Jun 18, 2022
CVE-2022-31914 Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via zms/admin/public_html/save_animal?an_id=24. -- Jun 16, 2022
CVE-2022-31913 Online Discussion Forum Site v1.0 is vulnerable to Cross Site Scripting (XSS) via /odfs/classes/Master.php?f=save_category, name. -- Jun 16, 2022
CVE-2022-31912 Online Tutor Portal Site v1.0 is vulnerable to SQL Injection via /otps/classes/Master.php?f=delete_team. -- Jun 16, 2022
CVE-2022-31911 Online Discussion Forum Site v1.0 is vulnerable to SQL Injection via /odfs/classes/Master.php?f=delete_team. -- Jun 16, 2022
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online