Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 101446 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2022-34495 rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free. -- Jun 26, 2022 n/a
CVE-2022-34494 rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free. -- Jun 26, 2022 n/a
CVE-2022-33124 ** DISPUTED ** AIOHTTP 3.8.1 can report a ValueError: Invalid IPv6 URL outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application. -- Jun 26, 2022 n/a
CVE-2022-31795 An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the grel_finfo function in grel.php. An attacker is able to influence the username (user), password (pw), and file-name (file) parameters and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. -- Jun 26, 2022 n/a
CVE-2022-31794 An issue was discovered on Fujitsu ETERNUS CentricStor CS8000 (Control Center) devices before 8.1A SP02 P04. The vulnerability resides in the requestTempFile function in hw_view.php. An attacker is able to influence the unitName POST parameter and inject special characters such as semicolons, backticks, or command-substitution sequences in order to force the application to execute arbitrary commands. -- Jun 26, 2022 n/a
CVE-2022-2206 Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. -- Jun 26, 2022 n/a
CVE-2020-27509 Persistent XSS in Galaxkey Secure Mail Client in Galaxkey up to 5.6.11.5 allows an attacker to perform an account takeover by intercepting the HTTP Post request when sending an email and injecting a specially crafted XSS payload in the \'subject\' field. The payload executes when the recipient logs into their mailbox. -- Jun 26, 2022 n/a
CVE-2022-34491 In the RSS extension for MediaWiki through 1.38.1, when the $wgRSSAllowLinkTag config variable was set to true, and a new RSS feed was created with certain XSS payloads within its description tags and added to the $wgRSSUrlWhitelist config variable, stored XSS could occur via MediaWiki\'s template system whenever that feed was loaded via the rss document tag. -- Jun 25, 2022 n/a
CVE-2022-34066 The Texercise package in PyPI v0.0.1 to v0.0.12 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34065 The Rondolu-YT-Concate package in PyPI v0.1.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34064 The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34061 The Catly-Translate package in PyPI v0.0.3 to v0.0.5 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34060 The Togglee package in PyPI version v0.0.8 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34059 The Sixfab-Tool in PyPI v0.0.2 to v0.0.3 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34057 The Scoptrial package in PyPI version v0.0.5 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34056 The Watertools package in PyPI v0.0.0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34055 The drxhello package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34054 The Perdido package in PyPI v0.0.1 to v0.0.2 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-34053 The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-33128 RG-EG series gateway EG350 EG_RGOS 11.1(6) was discovered to contain a SQL injection vulnerability via the function get_alarmAction at /alarm_pi/alarmService.php. -- Jun 25, 2022 n/a
CVE-2022-33122 A stored cross-site scripting (XSS) vulnerability in eyoucms v1.5.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL field under the login page. -- Jun 25, 2022 n/a
CVE-2022-33121 A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link. -- Jun 25, 2022 n/a
CVE-2022-33004 The Beginner package in PyPI v0.0.2 to v0.0.4 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-33003 The watools package in PyPI v0.0.1 to v0.0.8 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-33002 The KGExplore package in PyPI v0.1.1 to v0.1.2 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-33001 The AAmiles package in PyPI v0.1.0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-33000 The ML-Scanner package in PyPI v0.1.0 to v0.1.5 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-32999 The cloudlabeling package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-32998 The cryptoasset-data-downloader package in PyPI v1.0.0 to v1.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-32997 The RootInteractive package in PyPI v0.0.5 to v0.0.19b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-32996 The django-navbar-client package of v0.9.50 to v1.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges. -- Jun 25, 2022 n/a
CVE-2022-31017 Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when edited causes the server to incorrectly send an API event that includes the edited message to all of the stream’s current subscribers. This API event is ignored by official clients, but can be observed by using a modified client or the browser’s developer tools. This bug will be fixed in Zulip Server 5.3. There are no known workarounds. -- Jun 25, 2022 n/a
CVE-2022-31016 Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade. -- Jun 25, 2022 n/a
CVE-2022-30885 ** Reserved ** The pyesasky for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2.0-1.4.2. LOW Jun 25, 2022 n/a
CVE-2022-29931 Raytion 7.2.0 allows reflected Cross-site Scripting (XSS). -- Jun 25, 2022 n/a
CVE-2022-29168 Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient escaping when rendering `@mentions` in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim allowing the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-05-04-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-05-04-production.0-v0.29.7-0-a6f2ded or wire-server 2022-05-04 (chart/4.11.0) or later. No known workarounds exist. -- Jun 25, 2022 n/a
CVE-2022-24893 ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system. Patch commits are available on the 4.1, 4.2, 4.3 and 4.4 branches and users are recommended to upgrade. The upgrade is applicable for all applications and users of `ESP-BLE-MESH` component from `ESP-IDF`. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware. -- Jun 25, 2022 n/a
CVE-2022-21231 All versions of package deep-get-set are vulnerable to Prototype Pollution via the \'deep\' function. **Note:** This vulnerability derives from an incomplete fix of [CVE-2020-7715](https://security.snyk.io/vuln/SNYK-JS-DEEPGETSET-598666) -- Jun 25, 2022 n/a
CVE-2021-40894 A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in underscore-99xp v1.7.2 when the deepValueSearch function is called. -- Jun 25, 2022 n/a
CVE-2019-25071 ** DISPUTED ** A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which makes it possible to execute commands remotely. Exploit details have been disclosed to the public. The existence and implications of this vulnerability are doubted by Apple even though multiple public videos demonstrating the attack exist. Upgrading to version 13.0 migt be able to address this issue. It is recommended to upgrade affected devices. -- Jun 25, 2022 n/a
CVE-2022-33953 IBM Robotic Process Automation 21.0.1 and 21.0.2 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected access tokens. IBM X-Force ID: 229198. -- Jun 24, 2022 n/a
CVE-2022-33910 An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php opens the SVG document in a browser tab instead of downloading it as a file, causing the JavaScript code to execute. -- Jun 24, 2022 n/a
CVE-2022-32990 An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS). -- Jun 24, 2022 n/a
CVE-2022-32987 Multiple cross-site scripting (XSS) vulnerabilities in /bsms/?page=manage_account of Simple Bakery Shop Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username or Full Name fields. -- Jun 24, 2022 n/a
CVE-2022-32530 A CWE-668 Exposure of Resource to Wrong Sphere vulnerability exists that could cause users to be misled, hiding alarms, showing the wrong server connection option or the wrong control request when a mobile device has been compromised by a malicious application. Affected Product: Geo SCADA Mobile (Build 222 and prior) -- Jun 24, 2022 n/a
CVE-2022-32405 Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the \'id\' parameter at /pms/admin/prisons/view_prison.php:4 -- Jun 24, 2022 n/a
CVE-2022-32404 Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the \'id\' parameter at /pms/admin/inmates/manage_inmate.php:3 -- Jun 24, 2022 n/a
CVE-2022-32403 Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the \'id\' parameter at /pms/admin/inmates/manage_record.php:4 -- Jun 24, 2022 n/a
CVE-2022-32402 Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the \'id\' parameter at /pms/admin/prisons/manage_prison.php:4 -- Jun 24, 2022 n/a
CVE-2022-32401 Prison Management System v1.0 was discovered to contain a SQL injection vulnerability via the \'id\' parameter at /pms/admin/inmates/manage_privilege.php:4 -- Jun 24, 2022 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online