Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 164065 entries
IDDescriptionPriorityModified date
CVE-2024-30235 Missing Authorization vulnerability in Themeisle Multiple Page Generator Plugin – MPG.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0. -- Mar 26, 2024
CVE-2024-30234 Missing Authorization vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.1. -- Mar 26, 2024
CVE-2024-30233 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.1. -- Mar 26, 2024
CVE-2024-30232 Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Exclusive Addons Exclusive Addons Elementor allows Stored XSS.This issue affects Exclusive Addons Elementor: from n/a through 2.6.9. -- Mar 26, 2024
CVE-2024-30231 Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.4.1. -- Mar 26, 2024
CVE-2024-30205 In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23. -- Mar 25, 2024
CVE-2024-30204 In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments. -- Mar 25, 2024
CVE-2024-30203 In Emacs before 29.3, Gnus treats inline MIME contents as trusted. -- Mar 25, 2024
CVE-2024-30202 In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23. -- Mar 25, 2024
CVE-2024-30187 Anope before 2.0.15 does not prevent resetting the password of a suspended account. -- Mar 25, 2024
CVE-2024-30161 In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may access QNetworkReply header data via a dangling pointer. -- Mar 25, 2024
CVE-2024-30156 Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack. -- Mar 25, 2024
CVE-2024-29944 An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1. -- Mar 25, 2024
CVE-2024-29943 An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1. -- Mar 22, 2024
CVE-2024-29916 The dormakaba Saflok system before the November 2023 software update allows an attacker to unlock arbitrary doors at a property via forged keycards, if the attacker has obtained one active or expired keycard for the specific property, aka the Unsaflok issue. This occurs, in part, because the key derivation function relies only on a UID. This affects, for example, Saflok MT, and the Confidant, Quantum, RT, and Saffire series. -- Mar 21, 2024
CVE-2024-29883 CreateWiki is Miraheze\'s MediaWiki extension for requesting & creating wikis. Suppression of wiki requests does not work as intended, and always restricts visibility to those with the `(createwiki)` user right regardless of the settings one sets on a given wiki request. This may expose information to users who are not supposed to be able to access it. -- Mar 26, 2024
CVE-2024-29881 TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload. This vulnerability is fixed in 6.8.1 and 7.0.0. -- Mar 26, 2024
CVE-2024-29880 In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process -- Mar 21, 2024
CVE-2024-29879 Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through  /sentrifugo/index.php/index/getdepartments/format/html, \'business_id\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. -- Mar 21, 2024
CVE-2024-29878 Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through  /sentrifugo/index.php/sitepreference/add, \'description\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. -- Mar 21, 2024
CVE-2024-29877 Cross-Site Scripting (XSS) vulnerability in Sentrifugo 3.2, through  /sentrifugo/index.php/expenses/expensecategories/edit, \'expense_category_name\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and steal their session data. -- Mar 21, 2024
CVE-2024-29876 SQL injection vulnerability in Sentrifugo 3.2, through  /sentrifugo/index.php/reports/activitylogreport, \'sortby\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. -- Mar 21, 2024
CVE-2024-29875 SQL injection vulnerability in Sentrifugo 3.2, through  /sentrifugo/index.php/default/reports/exportactiveuserrpt, \'sort_name\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. -- Mar 21, 2024
CVE-2024-29874 SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, \'sort_name\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. -- Mar 21, 2024
CVE-2024-29873 SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, \'bunitname\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. -- Mar 21, 2024
CVE-2024-29872 SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, \'agencyids\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. -- Mar 21, 2024
CVE-2024-29871 SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, \'id\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. -- Mar 21, 2024
CVE-2024-29870 SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, \'business_id\' parameter./sentrifugo/index.php/index/getdepartments/format/html, \'business_id\' parameter. The exploitation of this vulnerability could allow a remote user to send a specially crafted query to the server and extract all the data from it. -- Mar 21, 2024
CVE-2024-29866 Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges. -- Mar 21, 2024
CVE-2024-29865 Logpoint before 7.1.0 allows Self-XSS on the LDAP authentication page via the username to the LDAP login form. -- Mar 22, 2024
CVE-2024-29864 Distrobox before 1.7.0.1 allows attackers to execute arbitrary code via command injection into exported executables. -- Mar 21, 2024
CVE-2024-29862 The Kerlink firewall in ChirpStack chirpstack-mqtt-forwarder before 4.2.1 and chirpstack-gateway-bridge before 4.0.11 wrongly accepts certain TCP packets when a connection is not in the ESTABLISHED state. -- Mar 21, 2024
CVE-2024-29859 In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. -- Mar 21, 2024
CVE-2024-29858 In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload. -- Mar 21, 2024
CVE-2024-29833 The image upload component allows SVG files and the regular expression used to remove script tags can be bypassed by using a Cross Site Scripting payload which does not match the regular expression; one example of this is the inclusion of whitespace within the script tag. An attacker must target an authenticated user with permissions to access this feature, however once uploaded the payload is also accessible to unauthenticated users. -- Mar 26, 2024
CVE-2024-29832 The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No authentication is required to exploit this issue. Note that other parameters within a AJAX call, such as image_id, must be valid for this vulnerability to be successfully exploited. -- Mar 26, 2024
CVE-2024-29810 The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. -- Mar 26, 2024
CVE-2024-29809 The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. -- Mar 26, 2024
CVE-2024-29808 The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. -- Mar 26, 2024
CVE-2024-29735 Improper Preservation of Permissions vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow\'s local file task handler in Airflow incorrectly set permissions for all parent folders of log folder, in default configuration adding write access to Unix group of the folders. In the case Airflow is run with the root user (not recommended) it added group write permission to all folders up to the root of the filesystem. If your log files are stored in the home directory, these permission changes might impact your ability to run SSH operations after your home directory becomes group-writeable. This issue does not affect users who use or extend Airflow using Official Airflow Docker reference images ( https://hub.docker.com/r/apache/airflow/ ) - those images require to have group write permission set anyway. You are affected only if you install Airflow using local installation / virtualenv or other Docker images, but the issue has no impact if docker containers are used as intended, i.e. where Airflow components do not share containers with other applications and users. Also you should not be affected if your umask is 002 (group write enabled) - this is the default on many linux systems. Recommendation for users using Airflow outside of the containers: * if you are using root to run Airflow, change your Airflow user to use non-root * upgrade Apache Airflow to 2.8.4 or above * If you prefer not to upgrade, you can change the https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#file-task-handler-new-folder-permissions  to 0o755 (original value 0o775). * if you already ran Airflow tasks before and your default umask is 022 (group write disabled) you should stop Airflow components, check permissions of AIRFLOW_HOME/logs in all your components and all parent directories of this directory and remove group write access for all the parent directories -- Mar 26, 2024
CVE-2024-29732 A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via user parameter. -- Mar 21, 2024
CVE-2024-29684 DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /src/dede/makehtml_homepage.php allowing a remote attacker to execute arbitrary code. -- Mar 26, 2024
CVE-2024-29666 Insecure Permissions vulnerability in Vehicle Monitoring platform system CMSV6 v.7.31.0.2 through v.7.32.0.3 allows a remote attacker to escalate privileges via the default password component. -- Mar 26, 2024
CVE-2024-29650 An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the mutIn and mutInManyUnsafe components. -- Mar 25, 2024
CVE-2024-29644 Cross Site Scripting vulnerability in dcat-admin v.2.1.3 and before allows a remote attacker to execute arbitrary code via a crafted script to the user login box. -- Mar 26, 2024
CVE-2024-29515 File Upload vulnerability in lepton v.7.1.0 allows a remote authenticated attackers to execute arbitrary code via uploading a crafted PHP file to the save.php and config.php component. -- Mar 26, 2024
CVE-2024-29499 Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/users/delete/2. -- Mar 22, 2024
CVE-2024-29474 OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Management module. -- Mar 21, 2024
CVE-2024-29473 OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Role Management module. -- Mar 21, 2024
CVE-2024-29472 OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Privilege Management module. -- Mar 21, 2024
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online