Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 107551 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2017-16055 `sqlserver` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16051 `sqliter` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16050 `sqlite.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16049 `nodesqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16054 `nodefabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16048 `node-sqlite` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16052 `node-fabric` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2018-3767 `memjs` versions <= 1.1.0 allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage. MEDIUM Jul 5, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16046 `mariadb` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16045 `jquery.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16039 `hftp` is a static http or ftp server `hftp` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16037 `gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16053 `fabric-js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16038 `f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. This is compounded by `f2e-server` requiring elevated privileges to run. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16044 `d3.js` was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. MEDIUM Jun 4, 2018 -- (Wind River Linux LTS 19)
CVE-2017-16036 `badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `badjs-sourcemap-server` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing ../ in the url. MEDIUM Jun 5, 2018 -- (Wind River Linux LTS 19)
CVE-2014-1858 __init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file. -- Jan 8, 2018 -- (Wind River Linux LTS 19)
CVE-2016-5674 __debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter. HIGH Aug 31, 2016 -- (Wind River Linux LTS 19)
CVE-2019-19039 __btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. LOW Nov 22, 2019 -- (Wind River Linux LTS 19)
CVE-2015-9262 _XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow. -- Aug 7, 2018 -- (Wind River Linux LTS 19)
CVE-2019-14973 _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash. Medium Aug 25, 2019 10.19.45.1 (Wind River Linux LTS 19)
CVE-2019-13597 _s_/sprm/_s_/dyn/Player_setScriptFile in Sahi Pro 8.0.0 allows command execution. It allows one to run \".sah\" scripts via Sahi Launcher. Also, one can create a new script with an editor. It is possible to execute commands on the server using the _execute() function. HIGH Jul 30, 2019 -- (Wind River Linux LTS 19)
CVE-2018-18065 _set_key in agent/helpers/table_container.c in Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an authenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. MEDIUM Oct 8, 2018 -- (Wind River Linux LTS 19)
CVE-2008-2682 _RealmAdmin/login.asp in Realm CMS 2.3 and earlier allows remote attackers to bypass authentication and access admin pages via certain modified cookies, probably including (1) cUserRole, (2) cUserName, and (3) cUserID. High Jun 12, 2008 -- (Wind River Linux LTS 19)
CVE-2008-1099 _macro_Getval in wikimacro.py in MoinMoin 1.5.8 and earlier does not properly enforce ACLs, which allows remote attackers to read protected pages. Medium Feb 5, 2009 -- (Wind River Linux LTS 19)
CVE-2010-0716 _layouts/Upload.aspx in the Documents module in Microsoft SharePoint before 2010 uses URLs with the same hostname and port number for a web site's primary files and individual users' uploaded files (aka attachments), which allows remote authenticated users to leverage same-origin relationships and conduct cross-site scripting (XSS) attacks by uploading TXT files, a related issue to CVE-2008-5026. NOTE: the vendor disputes the significance of this issue, because cross-domain isolation can be implemented when needed. Low Mar 1, 2010 -- (Wind River Linux LTS 19)
CVE-2011-4116 _is_safe in the File::Temp module for Perl does not properly handle symlinks. MEDIUM Feb 5, 2020 -- (Wind River Linux LTS 19)
CVE-2019-7748 _includes\\online.php in DbNinja 3.2.7 allows XSS via the data.php task parameter if _users/admin/tasks.php exists. Medium Feb 12, 2019 -- (Wind River Linux LTS 19)
CVE-2019-19733 _get_all_file_server_paths.ajax.php (aka get_all_file_server_paths.ajax.php) in MFScripts YetiShare 3.5.2 through 4.5.3 does not sanitize or encode the output from the fileIds parameter on the page, which would allow an attacker to input HTML or execute scripts on the site, aka XSS. MEDIUM Jan 7, 2020 -- (Wind River Linux LTS 19)
CVE-2009-1936 _functions.php in cpCommerce 1.2.x, possibly including 1.2.9, sends a redirect but does not exit when it is called directly, which allows remote attackers to bypass a protection mechanism to conduct remote file inclusion and directory traversal attacks, ro execute arbitrary PHP code or read arbitrary files, via the GLOBALS[prefix] parameter, a different vector than CVE-2003-1500. Medium Jun 8, 2009 -- (Wind River Linux LTS 19)
CVE-2019-19830 _core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote authenticated authors to inject content into the database. MEDIUM Dec 19, 2019 -- (Wind River Linux LTS 19)
CVE-2018-15563 _core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] parameter. MEDIUM Oct 2, 2018 -- (Wind River Linux LTS 19)
CVE-2018-16790 _bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer. MEDIUM Sep 10, 2018 -- (Wind River Linux LTS 19)
CVE-2008-6473 _blogadata/include/init_pass2.php in Blogator-script 0.95 allows remote attackers to change the password for arbitrary users via a modified a parameter with a % wildcard symbol in the b parameter. Medium Mar 16, 2009 -- (Wind River Linux LTS 19)
CVE-2017-14938 _bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file. Medium Oct 3, 2017 -- (Wind River Linux LTS 19)
CVE-2017-15225 _bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (memory leak) via a crafted ELF file. MEDIUM Oct 10, 2017 -- (Wind River Linux LTS 19)
CVE-2019-19734 _account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. MEDIUM Jan 7, 2020 -- (Wind River Linux LTS 19)
CVE-2019-19805 _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 takes a different amount of time to return depending on whether an email address is configured for the account name provided. This can be used by an attacker to enumerate accounts by guessing email addresses. MEDIUM Jan 8, 2020 -- (Wind River Linux LTS 19)
CVE-2019-19806 _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 displays a message indicating whether an email address is configured for the account name provided. This can be used by an attacker to enumerate accounts by guessing email addresses. MEDIUM Jan 7, 2020 -- (Wind River Linux LTS 19)
CVE-2018-11077 \'getlogs\' utility in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1 and 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 is affected by an OS command injection vulnerability. A malicious Avamar admin user may potentially be able to execute arbitrary commands under root privilege. HIGH Nov 26, 2018 -- (Wind River Linux LTS 19)
CVE-2018-4445 \"Clear History and Website Data\" did not clear the history. The issue was addressed with improved data deletion. This issue affected versions prior to iOS 12.1.1, Safari 12.0.2. MEDIUM Apr 5, 2019 -- (Wind River Linux LTS 19)
CVE-2017-1000120 [ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter. MEDIUM Oct 4, 2017 -- (Wind River Linux LTS 19)
CVE-2019-16722 ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation. HIGH Sep 23, 2019 -- (Wind River Linux LTS 19)
CVE-2019-16720 ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file. MEDIUM Sep 23, 2019 -- (Wind River Linux LTS 19)
CVE-2019-10647 ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file). HIGH Apr 1, 2019 -- (Wind River Linux LTS 19)
CVE-2019-1010151 zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell. The impact is: getshell. The component is: /user/ppsave.php. HIGH Jul 29, 2019 -- (Wind River Linux LTS 19)
CVE-2019-1010148 zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution. HIGH Jul 24, 2019 -- (Wind River Linux LTS 19)
CVE-2019-1010149 zzcms version 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: zzcms File Delete to Code Execution. The component is: user/licence_save.php. HIGH Jul 26, 2019 -- (Wind River Linux LTS 19)
CVE-2018-1000653 zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx. HIGH Aug 20, 2018 -- (Wind River Linux LTS 19)
CVE-2018-17415 zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter. MEDIUM Mar 22, 2019 -- (Wind River Linux LTS 19)
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online