Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 131873 entries
IDDescriptionPriorityModified date
CVE-2021-37470 In NCH WebDictate v2.13, persistent Cross Site Scripting (XSS) exists in the Recipient Name field. An authenticated user can add or modify the affected field to inject arbitrary JavaScript. -- Jul 25, 2021
CVE-2021-37469 In NCH WebDictate v2.13 and earlier, authenticated users can abuse logprop?file=/.. path traversal to read files on the filesystem. -- Jul 25, 2021
CVE-2021-37468 NCH Reflect CRM 3.01 allows local users to discover cleartext user account information by reading the configuration files. -- Jul 25, 2021
CVE-2021-37467 In NCH Quorum v2.03 and earlier, XSS exists via /conferencebrowseuploadfile?confid= (reflected). -- Jul 25, 2021
CVE-2021-37466 In NCH Quorum v2.03 and earlier, XSS exists via /conference?id= (reflected). -- Jul 25, 2021
CVE-2021-37465 In NCH Quorum v2.03 and earlier, XSS exists via /uploaddoc?id= (reflected). -- Jul 25, 2021
CVE-2021-37464 In NCH Quorum v2.03 and earlier, XSS exists via Conference Description (stored). -- Jul 25, 2021
CVE-2021-37463 In NCH Quorum v2.03 and earlier, XSS exists via User Display Name (stored). -- Jul 25, 2021
CVE-2021-37462 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /ipblacklist?errorip= (reflected). -- Jul 25, 2021
CVE-2021-37461 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /extensionsinstruction?id= (reflected). -- Jul 25, 2021
CVE-2021-37460 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /planprop?id= (reflected). -- Jul 25, 2021
CVE-2021-37459 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the customer name field (stored). -- Jul 25, 2021
CVE-2021-37458 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the primary phone field (stored). -- Jul 25, 2021
CVE-2021-37457 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the SipRule field (stored). -- Jul 25, 2021
CVE-2021-37456 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the blacklist IP address (stored). -- Jul 25, 2021
CVE-2021-37455 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the outbound dialing plan (stored). -- Jul 25, 2021
CVE-2021-37454 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the line name (stored). -- Jul 25, 2021
CVE-2021-37453 Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via the extension name (stored). -- Jul 25, 2021
CVE-2021-37452 NCH Quorum v2.03 and earlier allows local users to discover cleartext login information relating to users by reading the local .dat configuration files. -- Jul 25, 2021
CVE-2021-37451 Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /msglist?mbx= (reflected). -- Jul 25, 2021
CVE-2021-37450 Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmprop?id= (reflected). -- Jul 25, 2021
CVE-2021-37449 Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via /ogmlist?folder= (reflected). -- Jul 25, 2021
CVE-2021-37448 Cross Site Scripting (XSS) exists in NCH IVM Attendant v5.12 and earlier via the Mailbox name (stored). -- Jul 25, 2021
CVE-2021-37447 In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentdelete?file=/.. for file deletion. -- Jul 25, 2021
CVE-2021-37446 In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentprop?file=/.. for file reading. -- Jul 25, 2021
CVE-2021-37445 In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via logprop?file=/.. for file reading. -- Jul 25, 2021
CVE-2021-37444 NCH IVM Attendant v5.12 and earlier suffers from a directory traversal weakness upon uploading plugins in a ZIP archive. This can lead to code execution if a ZIP element\'s pathname is set to a Windows startup folder, a file for the inbuilt Out-Going Message function, or a file for the the inbuilt Autodial function. -- Jul 25, 2021
CVE-2021-37443 NCH IVM Attendant v5.12 and earlier allows path traversal via the logdeleteselected check0 parameter for file deletion. -- Jul 25, 2021
CVE-2021-37442 NCH IVM Attendant v5.12 and earlier allows path traversal via viewfile?file=/.. to read files. -- Jul 25, 2021
CVE-2021-37441 NCH Axon PBX v2.22 and earlier allows path traversal for file deletion via the logdelete?file=/.. substring. -- Jul 25, 2021
CVE-2021-37440 NCH Axon PBX v2.22 and earlier allows path traversal for file disclosure via the logprop?file=/.. substring. -- Jul 25, 2021
CVE-2021-37439 NCH FlexiServer v6.00 suffers from a syslog?file=/.. path traversal vulnerability. -- Jul 25, 2021
CVE-2021-37436 Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing personal content via a factory reset. Also, the vendor has reportedly indicated that they are working on mitigations. -- Jul 24, 2021
CVE-2021-37403 OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used. -- Jul 22, 2021
CVE-2021-37402 OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled. -- Jul 22, 2021
CVE-2021-37220 MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted mutool draw input. -- Jul 22, 2021
CVE-2021-37159 hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free. -- Jul 21, 2021
CVE-2021-37155 wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from the serial number in the OCSP response. -- Jul 21, 2021
CVE-2021-36980 Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. -- Jul 20, 2021
CVE-2021-36979 Unicorn Engine 1.0.2 has an out-of-bounds write in tb_flush_armeb (called from cpu_arm_exec_armeb and tcg_cpu_exec_armeb). -- Jul 20, 2021
CVE-2021-36978 QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails. -- Jul 20, 2021
CVE-2021-36977 matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-based buffer overflow in H5MM_memcpy (called from H5MM_malloc and H5C_load_entry). -- Jul 20, 2021
CVE-2021-36976 libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block). LOW Jul 20, 2021
CVE-2021-36934 Windows Elevation of Privilege Vulnerability -- Jul 22, 2021
CVE-2021-36799 KNX ETS5 uses the hard-coded password ETS5Password, with a salt value of Ivan Medvedev. -- Jul 19, 2021
CVE-2021-36797 ** DISPUTED ** In Victron Energy Venus OS through 2.72, root access is granted by default to anyone with physical access to the device. NOTE: the vendor disagrees with the reporter\'s opinion about an alleged security best practices violation. -- Jul 19, 2021
CVE-2021-36773 uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality). -- Jul 18, 2021
CVE-2021-36772 Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. -- Jul 17, 2021
CVE-2021-36771 Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. -- Jul 17, 2021
CVE-2021-36769 A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client. -- Jul 17, 2021
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online