Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 238736 entries
IDDescriptionPriorityModified date
CVE-2024-48987 Snipe-IT before 7.0.10 allows remote code execution (associated with cookie serialization) when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product\'s repository, that have default APP_KEY values. -- Oct 11, 2024
CVE-2024-48958 execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. -- Oct 11, 2024
CVE-2024-48957 execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. -- Oct 11, 2024
CVE-2024-48949 The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg() validation. -- Oct 10, 2024
CVE-2024-48942 The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to easily brute-force the 2FA PIN via the plugins/servlet/twofactor/public/pinvalidation endpoint. The last 30 and the next 30 tokens are valid. -- Oct 11, 2024
CVE-2024-48941 The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to bypass 2FA by interacting with the /rest endpoint of Jira, Confluence, or Bitbucket. In the default configuration, /rest is allowlisted. -- Oct 11, 2024
CVE-2024-48938 Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process. -- Oct 11, 2024
CVE-2024-48937 Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows XSS. JavaScript code in the short description of the SLA field in Activity Dialogues is executed. -- Oct 11, 2024
CVE-2024-48933 A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters. -- Oct 11, 2024
CVE-2024-48902 In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API -- Oct 10, 2024
CVE-2024-48827 An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function. -- Oct 11, 2024
CVE-2024-48813 SQL injection vulnerability in employee-management-system-php-and-mysql-free-download.html taskmatic 1.0 allows a remote attacker to execute arbitrary code via the admin_id parameter of the /update-employee.php component. -- Oct 11, 2024
CVE-2024-48788 An issue in YESCAM (com.yescom.YesCam.zwave) 1.0.2 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48787 An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48786 An issue in SWITCHBOT INC SwitchBot (com.theswitchbot.switchbot) 5.0.4 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48784 An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48778 An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48777 LEDVANCE com.ledvance.smartplus.eu 2.1.10 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48776 An issue in Shelly com.home.shelly 1.0.4 allows a remote attacker to obtain sensitive information via the firmware update process -- Oct 11, 2024
CVE-2024-48775 An issue in Plug n Play Camera com.ezset.delaney 1.2.0 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48774 An issue in Fermax Asia Pacific Pte Ltd com.fermax.vida 2.4.6 allows a remote attacker to obtain sensitve information via the firmware update process. -- Oct 11, 2024
CVE-2024-48773 An issue in WoFit v.7.2.3 allows a remote attacker to obtain sensitive information via the firmware update process -- Oct 11, 2024
CVE-2024-48772 An issue in C-CHIP (com.cchip.cchipamaota) v.1.2.8 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48771 An issue in almando GmbH Almando Play APP (com.almando.play) 1.8.2 allows a remote attacker to obtain sensitive information via the firmware update process -- Oct 11, 2024
CVE-2024-48770 An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process. -- Oct 11, 2024
CVE-2024-48769 An issue in BURG-WCHTER KG de.burgwachter.keyapp.app 4.5.0 allows a remote attacker to obtain sensitve information via the firmware update process. -- Oct 11, 2024
CVE-2024-48768 An issue in almaodo GmbH appinventor.ai_google.almando_control 2.3.1 allows a remote attacker to obtain sensitive information via the firmware update process -- Oct 11, 2024
CVE-2024-48041 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in CreativeMindsSolutions CM Tooltip Glossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through 4.3.9. -- Oct 11, 2024
CVE-2024-48040 Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Tainacan.Org Tainacan allows SQL Injection.This issue affects Tainacan: from n/a through 0.21.8. -- Oct 11, 2024
CVE-2024-48033 Deserialization of Untrusted Data vulnerability in Elie Burstein, Baptiste Gourdin Talkback allows Object Injection.This issue affects Talkback: from n/a through 1.0. -- Oct 11, 2024
CVE-2024-48020 Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Revmakx Backup and Staging by WP Time Capsule allows SQL Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21. -- Oct 11, 2024
CVE-2024-47976 Improper access removal handling in firmware of some Solidigm DC Products may allow an attacker with physical access to gain unauthorized access. -- Oct 10, 2024
CVE-2024-47975 Improper access control validation in firmware of some Solidigm DC Products may allow an attacker with physical access to gain unauthorized access or an attacker with local access to potentially enable denial of service. -- Oct 11, 2024
CVE-2024-47974 Race condition during resource shutdown in some Solidigm DC Products may allow an attacker to potentially enable denial of service. -- Oct 10, 2024
CVE-2024-47973 In some Solidigm DC Products, a defect in device overprovisioning may provide information disclosure to an attacker. -- Oct 10, 2024
CVE-2024-47972 Improper resource management in firmware of some Solidigm DC Products may allow an attacker to potentially control the performance of the resource. -- Oct 10, 2024
CVE-2024-47971 Improper error handling in firmware of some SSD DC Products may allow an attacker to enable denial of service. -- Oct 10, 2024
CVE-2024-47969 Improper resource management in firmware of some Solidigm DC Products may allow an attacker to potentially enable denial of service. -- Oct 10, 2024
CVE-2024-47968 Improper resource shutdown in middle of certain operations on some Solidigm DC Products may allow an attacker to potentially enable denial of service. -- Oct 10, 2024
CVE-2024-47967 Improper resource initialization handling in firmware of some Solidigm DC Products may allow an attacker to potentially enable denial of service. -- Oct 10, 2024
CVE-2024-47966 Delta Electronics CNCSoft-G2 lacks proper initialization of memory prior to accessing it. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process. -- Oct 10, 2024
CVE-2024-47965 Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process. -- Oct 10, 2024
CVE-2024-47964 Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process. -- Oct 10, 2024
CVE-2024-47963 Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process. -- Oct 10, 2024
CVE-2024-47962 Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can manipulate an insider to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process. -- Oct 10, 2024
CVE-2024-47951 In JetBrains TeamCity before 2024.07.3 stored XSS was possible via server global settings -- Oct 11, 2024
CVE-2024-47950 In JetBrains TeamCity before 2024.07.3 stored XSS was possible in Backup configuration settings -- Oct 11, 2024
CVE-2024-47949 In JetBrains TeamCity before 2024.07.3 path traversal allowed backup file write to arbitrary location -- Oct 11, 2024
CVE-2024-47948 In JetBrains TeamCity before 2024.07.3 path traversal leading to information disclosure was possible via server backups -- Oct 11, 2024
CVE-2024-47913 An issue was discovered in the AbuseFilter extension for MediaWiki before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details for the filter. -- Oct 4, 2024
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online