Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 107551 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2018-17954 A Least Privilege Violation vulnerability in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. SUSE OpenStack Cloud 8 ardana-cinder versions prior to 8.0+git.1579279939.ee7da88-3.39.3, ardana-. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. SUSE OpenStack Cloud Crowbar 8 crowbar-core versions prior to 5.0+git.1582968668.1a55c77c5-3.35.4, crowbar-. SUSE OpenStack Cloud Crowbar 9 crowbar-core versions prior to 6.0+git.1582892022.cbd70e833-3.19.3, crowbar-. -- Apr 3, 2020 -- (Wind River Linux LTS 19)
CVE-2020-5283 ViewVC before versions 1.1.28 and 1.2.1 has a XSS vulnerability in CVS show_subdir_lastmod support. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the `show_subdir_lastmod` feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. This vulnerability is patched in versions 1.2.1 and 1.1.28. -- Apr 3, 2020 -- (Wind River Linux LTS 19)
CVE-2020-7948 An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. A user can perform an insecure direct object reference. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11465 An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* endpoints failed to properly validate a user\'s privilege, allowing an attacker to control/install helpdesk applications and leak current applications\' configurations, including applications used as user sources (used for authentication). This enables an attacker to forge valid authentication models that resembles any user on the system. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-10864 An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to trigger a reboot via RPC from a Low Integrity process. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11490 Manage::Certificates in Zen Load Balancer 3.10.1 allows remote authenticated admins to execute arbitrary OS commands via shell metacharacters in the index.cgi cert_issuer, cert_division, cert_organization, cert_locality, cert_state, cert_country, or cert_email parameter. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11463 An issue was discovered in Deskpro before 2019.8.0. The /api/email_accounts endpoint failed to properly validate a user\'s privilege, allowing an attacker to retrieve cleartext credentials of all helpdesk email accounts, including incoming and outgoing email credentials. This enables an attacker to get full access to all emails sent or received by the system including password reset emails, making it possible to reset any user\'s password. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11444 Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has Incorrect Access Control. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3903 A memory corruption issue was addressed with improved memory handling. This issue is fixed in macOS Catalina 10.15.4. An application may be able to execute arbitrary code with system privileges. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11456 LimeSurvey before 4.1.12+200324 has stored XSS in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php (aka survey groups). MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3850 A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-9780 The issue was resolved by clearing application previews when content is deleted. This issue is fixed in iOS 13.4 and iPadOS 13.4. A local user may be able to view deleted content in the app switcher. LOW Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3907 An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A local user may be able to cause unexpected system termination or read kernel memory. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-7627 node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the \'arrParams\' argument in the \'execute()\' function. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3849 A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-10863 An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to trigger a shutdown via RPC from a Low Integrity process via TempShutDownMachine. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-8966 There is an Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in php webpages of Tiki-Wiki Groupware. Tiki-Wiki CMS all versions through 20.0 allows malicious users to cause the injection of malicious code fragments (scripts) into a legitimate web page. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2019-9163 The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3848 A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.3. A remote attacker may be able to cause unexpected application termination or arbitrary code execution. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3904 Multiple memory corruption issues were addressed with improved state management. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-7623 jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-4325 The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, and 19.0.0.3 Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can\'t recover the memory used by those thread pools, which leads to an OutOfMemory exception when the Process Federation Server Global Teams REST API is used extensively. IBM X-Force ID: 177596. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11451 The Upload Visualization plugin in the Microstrategy Web 10.4 admin panel allows an administrator to upload a ZIP archive containing files with arbitrary extensions and data. (This is also exploitable via SSRF.) -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11458 app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from database.php or GPG key passphrases from config.php. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3909 A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3919 A memory initialization issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to execute arbitrary code with kernel privileges. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2019-19090 For ABB eSOMS versions 4.0 to 6.0.2, the Secure Flag is not set in the HTTP response header. Unencrypted connections might access the cookie information, thus making it susceptible to eavesdropping. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11449 An issue was discovered on Technicolor TC7337 8.89.17 devices. An attacker can discover admin credentials in the backup file, aka backupsettings.conf. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2019-19094 Lack of input checks for SQL queries in ABB eSOMS versions 3.9 to 6.0.3 might allow an attacker SQL injection attacks against the backend database. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3911 A buffer overflow was addressed with improved bounds checking. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Multiple issues in libxml2. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11112 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy). MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-8144 The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware update information. If the version field contains ..\\ character sequences, the destination file path to save the firmware can be manipulated to be outside the intended destination directory tree. Fixed in UniFi Video Controller v3.10.3 and newer. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-7009 Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11450 Microstrategy Web 10.4 exposes the JVM configuration, CPU architecture, installation folder, and other information through the URL /MicroStrategyWS/happyaxis.jsp. An attacker could use this vulnerability to learn more about the environment the application is running in. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-9773 The issue was addressed with improved handling of icon caches. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. A malicious application may be able to identify what other applications a user has installed. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-7626 karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-10560 An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11469 Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to a user-writable temporary directory during installation, which allows a local process (with the user\'s privileges) to obtain root access by replacing runwithroot. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-9783 A use after free issue was addressed with improved memory management. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to code execution. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3906 A logic issue was addressed with improved restrictions. This issue is fixed in macOS Catalina 10.15.4. A maliciously crafted application may be able to bypass code signing enforcement. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2018-11802 In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11470 Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user\'s privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Zoom Client\'s microphone and camera access. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-7611 All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2019-14868 In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2019-3942 Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2019-14905 A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible\'s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-11494 An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4. -- Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-3905 A memory corruption issue was addressed with improved input validation. This issue is fixed in macOS Catalina 10.15.4. A malicious application may be able to execute arbitrary code with kernel privileges. HIGH Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-4304 IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
CVE-2020-10866 An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to enumerate the network interfaces and access points from a Low Integrity process via RPC. MEDIUM Apr 2, 2020 -- (Wind River Linux LTS 19)
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online