Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 168710 entries
IDDescriptionPriorityModified date
CVE-2023-23606 Memory safety bugs fixed in Firefox 109 -- Jan 18, 2023
CVE-2023-23605 Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7 -- Jan 18, 2023
CVE-2023-23604 Creation of duplicate <code>SystemPrincipal</code> from less secure contexts -- Jan 18, 2023
CVE-2023-23603 Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive -- Jan 18, 2023
CVE-2023-23602 Content Security Policy wasnt being correctly applied to WebSockets in WebWorkers -- Jan 18, 2023
CVE-2023-23601 URL being dragged from cross-origin iframe into same tab triggers navigation -- Jan 18, 2023
CVE-2023-23600 Notification permissions persisted between Normal and Private Browsing on Android -- Jan 18, 2023
CVE-2023-23599 Malicious command could be hidden in devtools output on Windows -- Jan 18, 2023
CVE-2023-23598 Arbitrary file read from GTK drag and drop on Linux -- Jan 18, 2023
CVE-2023-23597 firefox: Logic bug in process allocation allowed to read arbitrary files -- Jan 18, 2023
CVE-2023-23596 jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system. NOTE: this is not part of any NGINX software shipped by F5. -- Jan 20, 2023
CVE-2023-23595 BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as machine example.com login daniel password qwerty in the documentation example for the .netrc file format. NOTE: 2.x versions are no longer supported. There is no available information about whether any later version is affected. -- Jan 15, 2023
CVE-2023-23590 Mercedes-Benz XENTRY Retail Data Storage 7.8.1 allows remote attackers to cause a denial of service (device restart) via an unauthenticated API request. The attacker must be on the same network as the device. -- Jan 15, 2023
CVE-2023-23589 The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002. -- Jan 14, 2023
CVE-2023-23566 A 2-Step Verification problem in Axigen 10.3.3.52 allows an attacker to access a mailbox by bypassing 2-Step Verification when they try to add an account to any third-party webmail service (or add an account to Outlook or Gmail, etc.) with IMAP or POP3 without any verification code. -- Jan 13, 2023
CVE-2023-23560 In certain Lexmark products through 2023-01-12, SSRF can occur because of a lack of input validation. -- Jan 24, 2023
CVE-2023-23559 In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition. -- Jan 13, 2023
CVE-2023-23492 The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the \'ID\' parameter of its \'lwp_forgot_password\' action. -- Jan 27, 2023
CVE-2023-23491 The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scripting vulnerability in the \'category\' parameter of its \'qem_ajax_calendar\' action. -- Jan 26, 2023
CVE-2023-23490 The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the \'surveys_ids\' parameter of its \'ays_surveys_export_json\' action. -- Jan 26, 2023
CVE-2023-23489 The Easy Digital Downloads WordPress Plugin, version < 3.1.0.4, is affected by an unauthenticated SQL injection vulnerability in the \'s\' parameter of its \'edd_download_search\' action. -- Jan 26, 2023
CVE-2023-23488 The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the \'code\' parameter of the \'/pmpro/v1/order\' REST route. -- Jan 26, 2023
CVE-2023-23457 A Segmentation fault was found in UPX in PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a crafted input file allows invalid memory address access that could lead to a denial of service. -- Jan 12, 2023
CVE-2023-23456 A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file. -- Jan 12, 2023
CVE-2023-23455 atm_tc_enqueue in net/sched/sch_atm.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). -- Jan 12, 2023
CVE-2023-23454 cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). -- Jan 12, 2023
CVE-2023-23331 Amano Xoffice parking solutions 7.1.3879 is vulnerable to SQL Injection. -- Jan 24, 2023
CVE-2023-23314 An arbitrary file upload vulnerability in the /api/upload component of zdir v3.2.0 allows attackers to execute arbitrary code via a crafted .ssh file. -- Jan 23, 2023
CVE-2023-23151 bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file deletion vulnerability via the component /include/inc_content_media.php. -- Jan 27, 2023
CVE-2023-23145 GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a memory leak in lsr_read_rare_full function. -- Jan 23, 2023
CVE-2023-23144 Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file bifs/unquantize.c in GPAC version 2.2-rev0-gab012bbfb-master. -- Jan 23, 2023
CVE-2023-23143 Buffer overflow vulnerability in function avc_parse_slice in file media_tools/av_parsers.c. GPAC version 2.3-DEV-rev1-g4669ba229-master. -- Jan 23, 2023
CVE-2023-23024 Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the writer parameter. -- Jan 26, 2023
CVE-2023-23015 Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php. -- Jan 26, 2023
CVE-2023-23014 Cross Site Scripting (XSS) vulnerability in InventorySystem thru commit e08fbbe17902146313501ed0b5feba81d58f455c (on Apr 23, 2021) via edit_store_name and edit_active inputs in file InventorySystem.php. -- Jan 28, 2023
CVE-2023-23012 Cross Site Scripting (XSS) vulnerability in craigrodway classroombookings 2.6.4 allows attackers to execute arbitrary code or other unspecified impacts via the input bgcol in file Weeks.php. -- Jan 28, 2023
CVE-2023-23010 Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Bootstrap thru commit d5904379ca55014c5df34c67deda982c73dc7fe5 (on Dec 27, 2022), allows attackers to execute arbitrary code via the languages and trans_load parameters in file add_product.php. -- Jan 28, 2023
CVE-2023-22971 Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application. -- Jan 27, 2023
CVE-2023-22964 Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled. -- Jan 27, 2023
CVE-2023-22963 The personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression. -- Jan 11, 2023
CVE-2023-22960 Lexmark products through 2023-01-10 have Improper Control of Interaction Frequency. -- Jan 24, 2023
CVE-2023-22959 WebChess through 0.9.0 and 1.0.0.rc2 allows SQL injection: mainmenu.php, chess.php, and opponentspassword.php (txtFirstName, txtLastName). -- Jan 11, 2023
CVE-2023-22958 The Syracom Secure Login plugin before 3.1.1.0 for Jira may allow spoofing of 2FA PIN validation via the plugins/servlet/twofactor/public/pinvalidation target parameter. -- Jan 11, 2023
CVE-2023-22952 In SugarCRM before 12.0. Hotfix 91155, a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. -- Jan 11, 2023
CVE-2023-22947 ** DISPUTED ** Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable\'s folder. This occurs because the installation goes under C:\\opt (rather than C:\\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that We consider the ACLs a best effort thing and it was a documentation mistake. -- Jan 11, 2023
CVE-2023-22945 In the GrowthExperiments extension for MediaWiki through 1.39, the growthmanagementorlist API allows blocked users (blocked in ApiManageMentorList) to enroll as mentors or edit any of their mentorship-related properties. -- Jan 11, 2023
CVE-2023-22912 An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. CheckUser TokenManager insecurely uses AES-CTR encryption with a repeated (aka re-used) nonce, allowing an adversary to decrypt. -- Jan 26, 2023
CVE-2023-22911 An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. -- Jan 13, 2023
CVE-2023-22910 An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. -- Jan 26, 2023
CVE-2023-22909 An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because database queries are slow. -- Jan 13, 2023
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online