Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 131873 entries
IDDescriptionPriorityModified date
CVE-2021-34810 Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors. MEDIUM Jun 18, 2021
CVE-2021-34809 Improper neutralization of special elements used in a command (\'Command Injection\') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors. MEDIUM Jun 18, 2021
CVE-2021-34808 Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors. MEDIUM Jun 18, 2021
CVE-2021-34807 An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any URL via isredirect=1&redirectURL= in conjunction with the token data (e.g., a valid authtoken= value). MEDIUM Jul 2, 2021
CVE-2021-34803 TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certain situations. MEDIUM Jun 16, 2021
CVE-2021-34801 Valine 1.4.14 allows remote attackers to cause a denial of service (application outage) by supplying a ua (aka User-Agent) value that only specifies the product and version. MEDIUM Jun 16, 2021
CVE-2021-34700 A vulnerability in the CLI interface of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read arbitrary files on the underlying file system of an affected system. This vulnerability exists because access to sensitive information on an affected system is not sufficiently controlled. An attacker could exploit this vulnerability by gaining unauthorized access to sensitive information on an affected system. A successful exploit could allow the attacker to create forged authentication requests and gain unauthorized access to the web UI of an affected system. -- Jul 22, 2021
CVE-2021-34693 net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. LOW Jun 15, 2021
CVE-2021-34692 iDrive RemotePC before 7.6.48 on Windows allows privilege escalation. A local and low-privileged user can force RemotePC to execute an attacker-controlled executable with SYSTEM privileges. -- Jul 15, 2021
CVE-2021-34691 iDrive RemotePC before 4.0.1 on Linux allows denial of service. A remote and unauthenticated attacker can disconnect a valid user session by connecting to an ephemeral port. -- Jul 15, 2021
CVE-2021-34690 iDrive RemotePC before 7.6.48 on Windows allows authentication bypass. A remote and unauthenticated attacker can bypass cloud authentication to connect and control a system via TCP port 5970 and 5980. -- Jul 15, 2021
CVE-2021-34689 iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A locally authenticated attacker can read the system\'s Personal Key in world-readable %PROGRAMDATA% log files. -- Jul 15, 2021
CVE-2021-34688 iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A locally authenticated attacker can read an encrypted version of the system\'s Personal Key in world-readable %PROGRAMDATA% log files. The encryption is done using a hard-coded static key and is therefore reversible by an attacker. -- Jul 15, 2021
CVE-2021-34687 iDrive RemotePC before 7.6.48 on Windows allows information disclosure. A man in the middle can recover a system\'s Personal Key when a client attempts to make a LAN connection. The Personal Key is transmitted over the network while only being encrypted via a substitution cipher. -- Jul 15, 2021
CVE-2021-34683 An issue was discovered in EXCELLENT INFOTEK CORPORATION (EIC) E-document System 3.0. A remote attacker can use kw/auth/bbs/asp/get_user_email_info_bbs.asp to obtain the contact information (name and e-mail address) of everyone in the entire organization. This information can allow remote attackers to perform social engineering or brute force attacks against the system login page. MEDIUM Jun 16, 2021
CVE-2021-34682 Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature. MEDIUM Jun 14, 2021
CVE-2021-34679 Thycotic Password Reset Server before 5.3.0 allows credential disclosure. MEDIUM Jun 14, 2021
CVE-2021-34676 Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation. -- Jul 19, 2021
CVE-2021-34675 Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports. -- Jul 19, 2021
CVE-2021-34627 A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior. LOW Jul 8, 2021
CVE-2021-34626 A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior. MEDIUM Jul 8, 2021
CVE-2021-34625 A vulnerability in the saveCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to inject arbitrary web scripts. This issue affects versions 2.2.3 and prior. LOW Jul 8, 2021
CVE-2021-34624 A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. . HIGH Jul 8, 2021
CVE-2021-34623 A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. . HIGH Jul 8, 2021
CVE-2021-34622 A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. . MEDIUM Jul 8, 2021
CVE-2021-34621 A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. . HIGH Jul 8, 2021
CVE-2021-34620 The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions MEDIUM Jul 10, 2021
CVE-2021-34619 The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file. -- Jul 21, 2021
CVE-2021-34618 A remote denial of service (DoS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.4.x: All versions; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. -- Jul 20, 2021
CVE-2021-34617 A remote cross-site scripting (XSS) vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.13 and below; Aruba Instant 6.5.x: 6.5.4.13 and below; Aruba Instant 8.3.x: 8.3.0.7 and below; Aruba Instant 8.4.x: 8.4.0.5 and below; Aruba Instant 8.5.x: 8.5.0.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability. -- Jul 20, 2021
CVE-2021-34616 A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. MEDIUM Jul 9, 2021
CVE-2021-34615 A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. MEDIUM Jul 9, 2021
CVE-2021-34614 A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. MEDIUM Jul 8, 2021
CVE-2021-34613 A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. MEDIUM Jul 9, 2021
CVE-2021-34612 A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. MEDIUM Jul 9, 2021
CVE-2021-34611 A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. HIGH Jul 8, 2021
CVE-2021-34610 A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. HIGH Jul 8, 2021
CVE-2021-34609 A remote SQL injection vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.10.0, 6.9.6 and 6.8.9. Aruba has released updates to ClearPass Policy Manager that address this security vulnerability. MEDIUM Jul 8, 2021
CVE-2021-34558 The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic. -- Jul 15, 2021
CVE-2021-34557 XScreenSaver 5.45 can be bypassed if the machine has more than ten disconnectable video outputs. A buffer overflow in update_screen_layout() allows an attacker to bypass the standard screen lock authentication mechanism by crashing XScreenSaver. The attacker must physically disconnect many video outputs. LOW Jun 11, 2021
CVE-2021-34555 OpenDMARC 1.4.1 and 1.4.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a multi-value From header field. MEDIUM Jun 10, 2021
CVE-2021-34553 Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a remote authenticated attacker to get a list of blob files and read the content of a blob file (via a GET request) without having been granted access. MEDIUM Jun 18, 2021
CVE-2021-34552 PIL since 1.1.4 and Pillow since 1.0 allowed parameters passed into a convert function to trigger buffer overflow in Convert.c. HIGH Jul 2, 2021
CVE-2021-34551 PHPMailer before 6.5.0 on Windows allows remote code execution if lang_path is untrusted data and has a UNC pathname. MEDIUM Jun 16, 2021
CVE-2021-34550 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006. The v3 onion service descriptor parsing allows out-of-bounds memory access, and a client crash, via a crafted onion service descriptor MEDIUM Jun 29, 2021
CVE-2021-34549 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005. Hashing is mishandled for certain retrieval of circuit data. Consequently. an attacker can trigger the use of an attacker-chosen circuit ID to cause algorithm inefficiency. MEDIUM Jun 29, 2021
CVE-2021-34548 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003. An attacker can forge RELAY_END or RELAY_RESOLVED to bypass the intended access control for ending a stream. MEDIUM Jun 29, 2021
CVE-2021-34547 PRTG Network Monitor 20.1.55.1775 allows /editsettings CSRF for user account creation. MEDIUM Jun 10, 2021
CVE-2021-34546 An unauthenticated attacker with physical access to a computer with NetSetMan Pro before 5.0 installed, that has the pre-logon profile switch button within the Windows logon screen enabled, is able to drop to an administrative shell and execute arbitrary commands as SYSTEM via the save log to file feature. To accomplish this, the attacker can navigate to cmd.exe. HIGH Jun 11, 2021
CVE-2021-34540 Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard. MEDIUM Jun 11, 2021
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online