Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 175431 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2024-38468 Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API. -- Jun 16, 2024 n/a
CVE-2024-38467 Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized user information retrieval via the queryUser API. -- Jun 16, 2024 n/a
CVE-2024-38466 Shenzhen Guoxin Synthesis image system before 8.3.0 has a 123456Qw default password. -- Jun 16, 2024 n/a
CVE-2024-38465 Shenzhen Guoxin Synthesis image system before 8.3.0 allows username enumeration because of the response discrepancy of incorrect versus error. -- Jun 16, 2024 n/a
CVE-2024-38462 iRODS before 4.3.2 provides an msiSendMail function with a problematic dependency on the mail binary, such as in the mailMS.cpp#L94-L106 reference. -- Jun 16, 2024 n/a
CVE-2024-38461 irodsServerMonPerf in iRODS before 4.3.2 attempts to proceed with use of a path even if it is not a directory. -- Jun 16, 2024 n/a
CVE-2024-38460 In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc). -- Jun 16, 2024 n/a
CVE-2024-38459 langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444. -- Jun 16, 2024 n/a
CVE-2024-38458 Xenforo before 2.2.16 allows code injection. -- Jun 16, 2024 n/a
CVE-2024-38457 Xenforo before 2.2.16 allows CSRF. -- Jun 16, 2024 n/a
CVE-2024-38454 ExpressionEngine before 7.4.11 allows XSS. -- Jun 16, 2024 n/a
CVE-2024-38448 htags in GNU Global through 6.6.12 allows code execution in situations where dbpath (aka -d) is untrusted, because shell metacharacters may be used. -- Jun 16, 2024 n/a
CVE-2024-38443 C/sorting/binary_insertion_sort.c in The Algorithms - C through e5dad3f has a segmentation fault for deep recursion, which may affect common use cases such as sorting an array of 50 elements. -- Jun 16, 2024 n/a
CVE-2024-38441 Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to \'\\0\' in FPMapName in afp_mapname in etc/afp/directory.c. -- Jun 16, 2024 n/a
CVE-2024-38440 Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. -- Jun 16, 2024 n/a
CVE-2024-38439 Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to \'\\0\' in FPLoginExt in login in etc/uams/uams_pam.c. -- Jun 16, 2024 n/a
CVE-2024-38428 url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. -- Jun 16, 2024 n/a
CVE-2024-38427 In International Color Consortium DemoIccMAX before 85ce74e, a logic flaw in CIccTagXmlProfileSequenceId::ParseXml in IccXML/IccLibXML/IccTagXml.cpp results in unconditionally returning false. -- Jun 16, 2024 n/a
CVE-2024-38396 An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the terminal, a different vulnerability than CVE-2024-38395. -- Jun 16, 2024 n/a
CVE-2024-38395 In iTerm2 before 3.5.2, the Terminal may report window title setting is not honored, and thus remote code execution might occur but is not trivially exploitable. -- Jun 16, 2024 n/a
CVE-2024-38394 Mismatches in interpreting USB authorization policy between GNOME Settings Daemon (GSD) through 46.0 and the Linux kernel\'s underlying device matching logic allow a physically proximate attacker to access some unintended Linux kernel USB functionality, such as USB device-specific kernel modules and filesystem implementations. NOTE: the GSD supplier indicates that consideration of a mitigation for this within GSD would be in the context of a new feature, not a CVE. -- Jun 16, 2024 n/a
CVE-2024-38313 In certain scenarios a malicious website could attempt to display a fake location URL bar which could mislead users as to the actual website address This vulnerability affects Firefox for iOS < 127. -- Jun 13, 2024 n/a
CVE-2024-38312 When browsing private tabs, some data related to location history or webpage thumbnails could be persisted incorrectly within the sandboxed app bundle after app termination This vulnerability affects Firefox for iOS < 127. -- Jun 13, 2024 n/a
CVE-2024-38295 ALCASAR before 3.6.1 allows still_connected.php remote code execution. -- Jun 13, 2024 n/a
CVE-2024-38294 ALCASAR before 3.6.1 allows email_registration_back.php remote code execution. -- Jun 13, 2024 n/a
CVE-2024-38293 ALCASAR before 3.6.1 allows CSRF and remote code execution in activity.php. -- Jun 13, 2024 n/a
CVE-2024-38285 Logs storing credentials are insufficiently protected and can be decoded through the use of open source tools. -- Jun 13, 2024 n/a
CVE-2024-38284 Transmitted data is logged between the device and the backend service. An attacker could use these logs to perform a replay attack to replicate calls. -- Jun 13, 2024 n/a
CVE-2024-38283 Sensitive customer information is stored in the device without encryption. -- Jun 13, 2024 n/a
CVE-2024-38282 Utilizing default credentials, an attacker is able to log into the camera\'s operating system which could allow changes to be made to the operations or shutdown the camera requiring a physical reboot of the system. -- Jun 13, 2024 n/a
CVE-2024-38281 An attacker can access the maintenance console using hard coded credentials for a hidden wireless network on the device. -- Jun 13, 2024 n/a
CVE-2024-38280 An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text. -- Jun 13, 2024 n/a
CVE-2024-38279 The affected product is vulnerable to an attacker modifying the bootloader by using custom arguments to bypass authentication and gain access to the file system and obtain password hashes. -- Jun 13, 2024 n/a
CVE-2024-38083 Microsoft Edge (Chromium-based) Spoofing Vulnerability -- Jun 13, 2024 n/a
CVE-2024-37889 MyFinances is a web application for managing finances. MyFinances has a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account. The vulnerability is fixed in 0.4.6. -- Jun 14, 2024 n/a
CVE-2024-37888 The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**. -- Jun 14, 2024 n/a
CVE-2024-37887 Nextcloud Server is a self hosted personal cloud system. Private shared calendar events\' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1. -- Jun 14, 2024 n/a
CVE-2024-37886 user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0. -- Jun 14, 2024 n/a
CVE-2024-37885 The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0. -- Jun 14, 2024 n/a
CVE-2024-37884 Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3. -- Jun 14, 2024 n/a
CVE-2024-37883 Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments of already deleted cards. It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or 1.12.1. -- Jun 14, 2024 n/a
CVE-2024-37882 Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4. -- Jun 14, 2024 n/a
CVE-2024-37880 The Kyber reference implementation before 9b8d306, when compiled by LLVM Clang through 18.x with some common optimization options, has a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because poly_frommsg in poly.c does not prevent Clang from emitting a vulnerable secret-dependent branch. -- Jun 12, 2024 n/a
CVE-2024-37878 Cross Site Scripting vulnerability in TWCMS v.2.0.3 allows a remote attacker to execute arbitrary code via the /TWCMS-gh-pages/twcms/runtime/twcms_view/default,index.htm.php PHP directly echoes parameters input from external sources -- Jun 13, 2024 n/a
CVE-2024-37877 UERANSIM before 3.2.6 allows out-of-bounds read when a RLS packet is sent to gNodeB with malformed PDU length. This occurs in function readOctetString in src/utils/octet_view.cpp and in function DecodeRlsMessage in src/lib/rls/rls_pdu.cpp -- Jun 13, 2024 n/a
CVE-2024-37849 A SQL Injection vulnerability in itsourcecode Billing System 1.0 allows a local attacker to execute arbitrary code in process.php via the username parameter. -- Jun 13, 2024 n/a
CVE-2024-37831 Itsourcecode Payroll Management System 1.0 is vulnerable to SQL Injection in payroll_items.php via the ID parameter. -- Jun 14, 2024 n/a
CVE-2024-37665 An access control issue in Wvp GB28181 Pro 2.0 allows authenticated attackers to escalate privileges to Administrator via a crafted POST request. -- Jun 13, 2024 n/a
CVE-2024-37645 TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a stack overflow vulnerability via the submit-url parameter at /formSysLog . -- Jun 14, 2024 n/a
CVE-2024-37644 TRENDnet TEW-814DAP v1_(FW1.01B01) was discovered to contain a hardcoded password vulnerability in /etc/shadow.sample, which allows attackers to log in as root. -- Jun 14, 2024 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online