Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 135147 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2023-2913 An executable used in Rockwell Automation ThinManager ThinServer can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables. -- Jul 18, 2023 n/a
CVE-2023-31175 An Execution with Unnecessary Privileges vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to run system commands with the highest level privilege on the system. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20. -- Aug 31, 2023 n/a
CVE-2015-7850 An exploitable denial of service vulnerability exists in the remote configuration functionality of the Network Time Protocol. A specially crafted configuration file could cause an endless loop resulting in a denial of service. An attacker could provide a the malicious configuration file to trigger this vulnerability. MEDIUM Oct 28, 2015 ntp-1.2.0.0 (VxWorks 7)
CVE-2023-24461 An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. -- May 3, 2023 n/a
CVE-2023-31169 An Improper Handling of Unicode Encoding vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0. -- Aug 31, 2023 n/a
CVE-2023-31149 An Improper Input Validation vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to execute arbitrary code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31160 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31159 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31158 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31157 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31156 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31155 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31154 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31165 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31164 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-31163 An Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) Web Interface could allow a remote authenticated attacker to inject and execute arbitrary script code. See SEL Service Bulletin dated 2022-11-15 for more details. -- May 11, 2023 n/a
CVE-2023-38435 An improper neutralization of input during web page generation (\'Cross-site Scripting\') [CWE-79] vulnerability in Apache Felix Healthcheck Webconsole Plugin version 2.0.2 and prior may allow an attacker to perform a reflected cross-site scripting (XSS) attack. Upgrade to Apache Felix Healthcheck Webconsole Plugin 2.1.0 or higher. -- Jul 25, 2023 n/a
CVE-2023-31171 An Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0. -- Aug 31, 2023 n/a
CVE-2023-31168 An Inclusion of Functionality from Untrusted Control Sphere vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0. -- Aug 31, 2023 n/a
CVE-2023-31170 An Inclusion of Functionality from Untrusted Control Sphere vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0. -- Aug 31, 2023 n/a
CVE-2023-31172 An Incomplete Filtering of Special Elements vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator. See Instruction Manual Appendix A and Appendix E dated 20230615 for more details. This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0. -- Aug 31, 2023 n/a
CVE-2023-4777 An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.  -- Sep 8, 2023 n/a
CVE-2023-36858 An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. -- Aug 2, 2023 n/a
CVE-2023-20593 An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. -- Jul 25, 2023 n/a
CVE-2023-28141 An NTFS Junction condition exists in the Qualys Cloud Agent for Windows platform in versions before 4.8.0.31. Attackers may write files to arbitrary locations via a local attack vector. This allows attackers to assume the privileges of the process, and they may delete or otherwise on unauthorized files, allowing for the potential modification or deletion of sensitive files limited only to that specific directory/file object. This vulnerability is bounded to the time of installation/uninstallation and can only be exploited locally. At the time of this disclosure, versions before 4.0 are classified as End of Life. -- Apr 18, 2023 n/a
CVE-2023-3313 An OS common injection vulnerability exists in the ESM certificate API, whereby incorrectly neutralized special elements may have allowed an unauthorized user to execute system command injection for the purpose of privilege escalation or to execute arbitrary commands. -- Jul 11, 2023 n/a
CVE-2023-21521 An SQL Injection vulnerability in the Management Console? (Operator Audit Trail) of BlackBerry AtHoc version 7.15 could allow an attacker to potentially read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. -- Sep 12, 2023 n/a
CVE-2023-3438 An unquoted Windows search path vulnerability existed in the install the MOVE 4.10.x and earlier Windows install service (mvagtsce.exe). The misconfiguration allowed an unauthorized local user to insert arbitrary code into the unquoted service path to obtain privilege escalation and stop antimalware services. -- Jul 3, 2023 n/a
CVE-2023-21406 Ariel Harush and Roy Hodir from OTORIO have found a flaw in the AXIS A1001 when communicating over OSDP. A heap-based buffer overflow was found in the pacsiod process which is handling the OSDP communication allowing to write outside of the allocated buffer. By appending invalid data to an OSDP message it was possible to write data beyond the heap allocated buffer. The data written outside the buffer could be used to execute arbitrary code.  lease refer to the Axis security advisory for more information, mitigation and affected products and software versions. -- Jul 25, 2023 n/a
CVE-2023-43632 As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options” The communication with this server is done using protobuf, and the data is comprised of 2 parts: 1. Header 2. Data When a connection is made, the server is waiting for 4 bytes of data, which will be the header, and these 4 bytes would be parsed as uint32 size of the actual data to come. Then, in the function “handleRequest” this size is then used in order to allocate a payload on the stack for the incoming data. As this payload is allocated on the stack, this will allow overflowing the stack size allocated for the relevant process with freely controlled data. * An attacker can crash the system. * An attacker can gain control over the system, specifically on the “vtpm_server” process which has very high privileges. -- Sep 21, 2023 n/a
CVE-2023-41349 ASUS router RT-AX88U has a vulnerability of using externally controllable format strings within its Advanced Open VPN function. An authenticated remote attacker can exploit the exported OpenVPN configuration to execute an externally-controlled format string attack, resulting in sensitivity information leakage, or forcing the device to reset and permanent denial of service. -- Sep 19, 2023 n/a
CVE-2023-38031 ASUS RT-AC86U Adaptive QoS - Web History function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. -- Sep 7, 2023 n/a
CVE-2023-38032 ASUS RT-AC86U AiProtection security- related function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. -- Sep 7, 2023 n/a
CVE-2023-39237 ASUS RT-AC86U Traffic Analyzer - Apps analysis function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. -- Sep 7, 2023 n/a
CVE-2023-39236 ASUS RT-AC86U Traffic Analyzer - Statistic function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. -- Sep 7, 2023 n/a
CVE-2023-38033 ASUS RT-AC86U unused Traffic Analyzer legacy Statistic function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services. -- Sep 7, 2023 n/a
CVE-2023-36494 Audit logs on F5OS-A may contain undisclosed sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. -- Aug 2, 2023 n/a
CVE-2023-31429 Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability when using various commands such as “chassisdistribute”, “reboot”, “rasman”, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal. -- Aug 1, 2023 n/a
CVE-2023-31408 Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to potentially steal user credentials that are stored in the user’s browsers local storage via cross-site-scripting attacks. -- May 15, 2023 n/a
CVE-2023-35699 Cleartext Storage on Disk in the SICK ICR890-4 could allow an unauthenticated attacker with local access to the device to disclose sensitive information by accessing a SD card. -- Jul 10, 2023 n/a
CVE-2023-28076 CloudLink 7.1.2 and all prior versions contain a broken or risky cryptographic algorithm vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability leading to some information disclosure. -- May 16, 2023 n/a
CVE-2023-3393 Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. -- Jun 23, 2023 n/a
CVE-2023-4977 Code Injection in GitHub repository librenms/librenms prior to 23.9.0. -- Sep 15, 2023 n/a
CVE-2023-3551 Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10. -- Jul 8, 2023 n/a
CVE-2023-32099 Compiler removal of buffer clearing in sli_se_sign_hash in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. -- May 18, 2023 n/a
CVE-2023-32098 Compiler removal of buffer clearing in sli_se_sign_message in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. -- May 18, 2023 n/a
CVE-2023-32097 Compiler removal of buffer clearing in sli_crypto_transparent_aead_decrypt_tag in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. -- May 18, 2023 n/a
CVE-2023-32096 Compiler removal of buffer clearing in sli_crypto_transparent_aead_encrypt_tag in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. -- May 18, 2023 n/a
CVE-2023-2481 Compiler removal of buffer clearing in sli_se_opaque_import_key in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. -- May 18, 2023 n/a
CVE-2023-1132 Compiler removal of buffer clearing in sli_se_driver_key_agreement in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in key material duplication to RAM. -- May 18, 2023 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online