Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 164524 entries
IDDescriptionPriorityModified date
CVE-2022-24584 Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by writing it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere MEDIUM May 11, 2022
CVE-2022-24585 A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter. LOW Feb 15, 2022
CVE-2022-24586 A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters. LOW Feb 15, 2022
CVE-2022-24587 A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML. LOW Feb 15, 2022
CVE-2022-24588 Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function. LOW Feb 15, 2022
CVE-2022-24589 Burden v3.0 was discovered to contain a stored cross-site scripting (XSS) in the Add Category function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the task parameter. MEDIUM Feb 15, 2022
CVE-2022-24590 A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML. LOW Feb 15, 2022
CVE-2022-24594 In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address. MEDIUM Feb 25, 2022
CVE-2022-24595 Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5 is affected by Incorrect Access Control in usr/bin/afb-daemon. To exploit the vulnerability, an attacker should send a well-crafted HTTP (or WebSocket) request to the socket listened by the afb-daemon process. No credentials nor user interactions are required. HIGH Mar 18, 2022
CVE-2022-24599 In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn\'t use zero bytes to truncate the data. MEDIUM Feb 24, 2022
CVE-2022-24600 Luocms v2.0 is affected by SQL Injection through /admin/login.php. An attacker can log in to the background through SQL injection statements. HIGH Mar 10, 2022
CVE-2022-24601 Luocms v2.0 is affected by SQL Injection in /admin/manager/admin_mod.php. An attacker can obtain sensitive information through SQL injection statements. MEDIUM Mar 10, 2022
CVE-2022-24602 Luocms v2.0 is affected by SQL Injection in /admin/news/news_mod.php. HIGH Mar 10, 2022
CVE-2022-24603 Luocms v2.0 is affected by SQL Injection in /admin/news/sort_mod.php. HIGH Mar 10, 2022
CVE-2022-24604 Luocms v2.0 is affected by SQL Injection in /admin/link/link_mod.php. HIGH Mar 10, 2022
CVE-2022-24605 Luocms v2.0 is affected by SQL Injection in /admin/link/link_ok.php. HIGH Mar 10, 2022
CVE-2022-24606 Luocms v2.0 is affected by SQL Injection in /admin/news/sort_ok.php. HIGH Mar 10, 2022
CVE-2022-24607 Luocms v2.0 is affected by SQL Injection in /admin/news/news_ok.php. HIGH Mar 10, 2022
CVE-2022-24608 Luocms v2.0 is affected by Cross Site Scripting (XSS) in /admin/news/sort_add.php and /inc/function.php. MEDIUM Mar 10, 2022
CVE-2022-24609 Luocms v2.0 is affected by an incorrect access control vulnerability. Through /admin/templates/template_manage.php, an attacker can write an arbitrary shell file. HIGH Mar 10, 2022
CVE-2022-24610 Settings/network settings/wireless settings on the Alecto DVC-215IP camera version 63.1.1.173 and below shows the Wi-Fi passphrase hidden, but by editing/removing the style of the password field the password becomes visible which grants access to an internal network connected to the camera. MEDIUM Feb 24, 2022
CVE-2022-24611 Denial of Service (DoS) in the Z-Wave S0 NonceGet protocol specification in Silicon Labs Z-Wave 500 series allows local attackers to block S0/S2 protected Z-Wave network via crafted S0 NonceGet Z-Wave packages, utilizing included but absent NodeIDs. MEDIUM May 18, 2022
CVE-2022-24612 An authenticated user can upload an XML file containing an XSS via the ITSM module of EyesOfNetwork 5.3.11, resulting in a stored XSS. LOW Feb 25, 2022
CVE-2022-24613 metadata-extractor up to 2.16.0 can throw various uncaught exceptions while parsing a specially crafted JPEG file, which could result in an application crash. This could be used to mount a denial of service attack against services that use metadata-extractor library. MEDIUM Feb 24, 2022
CVE-2022-24614 When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library. MEDIUM Feb 24, 2022
CVE-2022-24615 zip4j up to v2.10.0 can throw various uncaught exceptions while parsing a specially crafted ZIP file, which could result in an application crash. This could be used to mount a denial of service attack against services that use zip4j library. MEDIUM Feb 24, 2022
CVE-2022-24618 Heimdal.Wizard.exe installer in Heimdal Premium Security 2.5.395 and earlier has insecure permissions, which allows unprivileged local users to elevate privileges to SYSTEM via the Browse For Folder window accessible by triggering a Repair on the MSI package located in C:\\Windows\\Installer. HIGH Mar 10, 2022
CVE-2022-24620 Piwigo version 12.2.0 is vulnerable to stored cross-site scripting (XSS), which can lead to privilege escalation. In this way, admin can steal webmaster\'s cookies to get the webmaster\'s access. LOW Feb 24, 2022
CVE-2022-24627 An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form. -- May 30, 2023
CVE-2022-24628 An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is authenticated SQL injection in the id parameter of IPPhoneFirmwareEdit.php. -- May 30, 2023
CVE-2022-24629 An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir parameter of the file upload functionality of BrowseFiles.php. An attacker can upload a .php file to WebAdmin/admin/AudioCodes_files/ajax/. -- May 30, 2023
CVE-2022-24630 An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. BrowseFiles.php allows a ?cmd=ssh POST request with an ssh_command field that is executed. -- May 30, 2023
CVE-2022-24631 An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is stored XSS via the ajaxTenants.php desc parameter. -- May 30, 2023
CVE-2022-24632 An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is directory traversal during file download via the BrowseFiles.php view parameter. -- May 30, 2023
CVE-2022-24633 All versions of FileCloud prior to 21.3 are vulnerable to user enumeration. The vulnerability exists in the parameter path passing /SHARED/<username>. A malicious actor could identify the existence of users by requesting share information on specified share paths. MEDIUM Feb 24, 2022
CVE-2022-24637 Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with \'<?php (instead of the intended <?php sequence) aren\'t handled by the PHP interpreter. MEDIUM Mar 18, 2022
CVE-2022-24643 A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0. LOW Mar 25, 2022
CVE-2022-24644 ZZ Inc. KeyMouse Windows 3.08 and prior is affected by a remote code execution vulnerability during an unauthenticated update. To exploit this vulnerability, a user must trigger an update of an affected installation of KeyMouse. MEDIUM Mar 10, 2022
CVE-2022-24646 Hospital Management System v4.0 was discovered to contain a SQL injection vulnerability in /Hospital-Management-System-master/contact.php via the txtMsg parameters. HIGH Feb 11, 2022
CVE-2022-24647 Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function. MEDIUM Feb 11, 2022
CVE-2022-24651 sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in PHP code execution through /user/upload/upload. HIGH Mar 10, 2022
CVE-2022-24652 sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload. HIGH Mar 10, 2022
CVE-2022-24654 Authenticated stored cross-site scripting (XSS) vulnerability in Field Server Address field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload. -- Aug 17, 2022
CVE-2022-24655 A stack overflow vulnerability exists in the upnpd service in Netgear EX6100v1 201.0.2.28, CAX80 2.1.2.6, and DC112A 1.0.0.62, which may lead to the execution of arbitrary code without authentication. HIGH Mar 18, 2022
CVE-2022-24656 HexoEditor 1.1.8 is affected by Cross Site Scripting (XSS). By putting a common XSS payload in a markdown file, if opened with the app, will execute several times. MEDIUM Mar 25, 2022
CVE-2022-24657 Goldshell ASIC Miners v2.1.x was discovered to contain hardcoded credentials which allow attackers to remotely connect via the SSH protocol (port 22). -- Jul 20, 2022
CVE-2022-24659 Goldshell ASIC Miners v2.2.1 and below was discovered to contain a path traversal vulnerability which allows unauthenticated attackers to retrieve arbitrary files from the device. -- Jul 20, 2022
CVE-2022-24660 The debug interface of Goldshell ASIC Miners v2.2.1 and below was discovered to be exposed publicly on the web interface, allowing attackers to access passwords and other sensitive information in plaintext. -- Jul 20, 2022
CVE-2022-24661 A vulnerability has been identified in Simcenter STAR-CCM+ Viewer (All versions < V2022.1). The starview+.exe contains a memory corruption vulnerability while parsing specially crafted .SCE files. This could allow an attacker to execute code in the context of the current process. MEDIUM Mar 11, 2022
CVE-2022-24663 PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user. MEDIUM Feb 16, 2022
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online