Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 179121 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2024-41129 The ops library is a Python framework for developing and testing Kubernetes and machine charms. The issue here is that ops passes the secret content as one of the args via CLI. This issue may affect any of the charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing `subprocess.CalledProcessError`. This vulnerability is fixed in 2.15.0. -- Jul 22, 2024 n/a
CVE-2024-41124 Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in release version 0.21 by using https rather than http connections. All users are advised to upgrade. There is no known workarounds for this vulnerability. -- Jul 22, 2024 n/a
CVE-2024-41122 Woodpecker is a simple yet powerful CI/CD engine with great extensibility. The server allow to create any user who can trigger a pipeline run malicious workflows: 1. Those workflows can either lead to a host takeover that runs the agent executing the workflow. 2. Or allow to extract the secrets who would be normally provided to the plugins who\'s entrypoint are overwritten. This issue has been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. -- Jul 22, 2024 n/a
CVE-2024-41121 Woodpecker is a simple yet powerful CI/CD engine with great extensibility. The server allow to create any user who can trigger a pipeline run malicious workflows: 1. Those workflows can either lead to a host takeover that runs the agent executing the workflow. 2. Or allow to extract the secrets who would be normally provided to the plugins who\'s entrypoint are overwritten. This issue has been addressed in release version 2.7.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. -- Jul 22, 2024 n/a
CVE-2024-40634 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20. -- Jul 22, 2024 n/a
CVE-2024-40502 SQL injection vulnerability in Hospital Management System Project in ASP.Net MVC 1 allows aremote attacker to execute arbitrary code via the btn_login_b_Click function of the Loginpage.aspx -- Jul 22, 2024 n/a
CVE-2024-40430 In SFTPGO 2.6.2, the JWT implementation lacks cerrtain security measures, such as using JWT ID (JTI) claims, nonces, and proper expiration and invalidation mechanisms. -- Jul 22, 2024 n/a
CVE-2024-40400 An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file. -- Jul 22, 2024 n/a
CVE-2024-40348 An issue in the component /api/swaggerui/static of Bazaar v1.4.3 allows unauthenticated attackers to execute a directory traversal. -- Jul 22, 2024 n/a
CVE-2024-40347 A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user\'s browser via injecting a crafted payload into the parameter htmlid. -- Jul 22, 2024 n/a
CVE-2024-40075 Laravel v11.x was discovered to contain an XML External Entity (XXE) vulnerability. -- Jul 22, 2024 n/a
CVE-2024-40051 IP Guard v4.81.0307.0 was discovered to contain an arbitrary file read vulnerability via the file name parameter. -- Jul 22, 2024 n/a
CVE-2024-39963 AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX9 V22.03.01.46 and AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX12 V1.0 V22.03.01.46 were discovered to contain an authenticated remote command execution (RCE) vulnerability via the macFilterType parameter at /goform/setMacFilterCfg. -- Jul 22, 2024 n/a
CVE-2024-39962 D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router v21_D240126 was discovered to contain a remote code execution (RCE) vulnerability in the ntp_zone_val parameter at /goform/set_ntp. This vulnerability is exploited via a crafted HTTP request. -- Jul 22, 2024 n/a
CVE-2024-39906 A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads to the immediate execution of the provided commands when the link is accessed by the authenticated administrator. This issue may lead to Remote Code Execution (RCE) and has been addressed by commit `c52f07c`. Users are advised to upgrade. There are no known workarounds for this vulnerability. -- Jul 22, 2024 n/a
CVE-2024-39902 Tuleap is an open source suite to improve management of software developments and collaboration. Prior to Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8, the checkbox Apply same permissions to all sub-items of this folder in the document manager permissions modal is not taken into account and always considered as unchecked. In situations where the permissions are being restricted some users might still keep, incorrectly, the possibility to edit or manage items. Only change made via the web UI are affected, changes directly made via the REST API are not impacted. This vulnerability is fixed in Tuleap Community Edition 15.10.99.128 and Tuleap Enterprise Edition 15.10-6 and 15.9-8. -- Jul 22, 2024 n/a
CVE-2024-39688 Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is concatenated with other folders and used to open a new file in the generate_config function, which leads to a limited file write. The issue allows for writing /config/config.json file in arbitrary directory on the server. If a given directory path doesn’t exist, the application will return an error, so this vulnerability could also be used to gain information about existing directories on the server. This affects fishaudio/Bert-VITS2 2.3 and earlier. -- Jul 22, 2024 n/a
CVE-2024-39686 Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the bert_gen function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier. -- Jul 22, 2024 n/a
CVE-2024-39685 Bert-VITS2 is the VITS2 Backbone with multilingual bert. User input supplied to the data_dir variable is used directly in a command executed with subprocess.run(cmd, shell=True) in the resample function, which leads to arbitrary command execution. This affects fishaudio/Bert-VITS2 2.3 and earlier. -- Jul 22, 2024 n/a
CVE-2024-39601 A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). Affected devices allow a remote authenticated user or an unauthenticated user with physical access to downgrade the firmware of the device. This could allow an attacker to downgrade the device to older versions with known vulnerabilities. -- Jul 22, 2024 n/a
CVE-2024-39250 EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface. -- Jul 22, 2024 n/a
CVE-2024-39123 In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization performed by the clean_string function. The vulnerability arises from the way the clean_string function handles HTML sanitization. -- Jul 22, 2024 n/a
CVE-2024-38944 An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi?formID=142 component. -- Jul 22, 2024 n/a
CVE-2024-38788 Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in B?i Admin 2020 UiPress lite allows SQL Injection.This issue affects UiPress lite: from n/a through 3.4.06. -- Jul 22, 2024 n/a
CVE-2024-38786 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in BurgerThemes CoziPress allows Stored XSS.This issue affects CoziPress: from n/a through 1.0.30. -- Jul 22, 2024 n/a
CVE-2024-38785 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Jegstudio Gutenverse allows Stored XSS.This issue affects Gutenverse: from n/a through 1.9.2. -- Jul 22, 2024 n/a
CVE-2024-38784 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Livemesh Livemesh Addons for Beaver Builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through 3.6.1. -- Jul 22, 2024 n/a
CVE-2024-38782 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in MapsMarker.Com e.U. Leaflet Maps Marker allows Stored XSS.This issue affects Leaflet Maps Marker: from n/a through 3.12.9. -- Jul 22, 2024 n/a
CVE-2024-38781 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in ArtistScope CopySafe Web Protection allows Reflected XSS.This issue affects CopySafe Web Protection: from n/a through 3.15. -- Jul 22, 2024 n/a
CVE-2024-38773 Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17. -- Jul 22, 2024 n/a
CVE-2024-38767 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in BannerSky.Com BSK PDF Manager allows Stored XSS.This issue affects BSK PDF Manager: from n/a through 3.6. -- Jul 22, 2024 n/a
CVE-2024-38759 Deserialization of Untrusted Data vulnerability in WP MEDIA SAS Search & Replace.This issue affects Search & Replace: from n/a through 3.2.2. -- Jul 22, 2024 n/a
CVE-2024-38758 Server-Side Request Forgery (SSRF) vulnerability in WappPress Team WappPress.This issue affects WappPress: from n/a through 6.0.4. -- Jul 22, 2024 n/a
CVE-2024-38757 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Typebot allows Stored XSS.This issue affects Typebot: from n/a through 3.6.0. -- Jul 22, 2024 n/a
CVE-2024-38755 Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Designinvento DirectoryPress allows SQL Injection.This issue affects DirectoryPress: from n/a through 3.6.10. -- Jul 22, 2024 n/a
CVE-2024-38750 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in digontoahsan Advanced post slider.This issue affects Advanced post slider: from n/a through 3.0.0. -- Jul 22, 2024 n/a
CVE-2024-38741 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Noor-E-Alam Amazing Hover Effects allows Stored XSS.This issue affects Amazing Hover Effects: from n/a through 2.4.9. -- Jul 22, 2024 n/a
CVE-2024-38739 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in FameThemes OnePress allows Stored XSS.This issue affects OnePress: from n/a through 2.3.8. -- Jul 22, 2024 n/a
CVE-2024-38738 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Marian Kadanka Change From Email allows Stored XSS.This issue affects Change From Email: from n/a through 1.2.1. -- Jul 22, 2024 n/a
CVE-2024-38730 Server-Side Request Forgery (SSRF) vulnerability in Noor alam Magical Addons For Elementor.This issue affects Magical Addons For Elementor: from n/a through 1.1.41. -- Jul 22, 2024 n/a
CVE-2024-38728 Server-Side Request Forgery (SSRF) vulnerability in Seraphinite Solutions Seraphinite Post .DOCX Source.This issue affects Seraphinite Post .DOCX Source: from n/a through 2.16.9. -- Jul 22, 2024 n/a
CVE-2024-38725 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Webstix Admin Dashboard RSS Feed allows Stored XSS.This issue affects Admin Dashboard RSS Feed: from n/a through 3.1. -- Jul 22, 2024 n/a
CVE-2024-38723 Server-Side Request Forgery (SSRF) vulnerability in Bernhard Kux JSON Content Importer.This issue affects JSON Content Importer: from n/a through 1.5.6. -- Jul 22, 2024 n/a
CVE-2024-38722 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in PickPlugins Job Board Manager allows Stored XSS.This issue affects Job Board Manager: from n/a through 2.1.57. -- Jul 22, 2024 n/a
CVE-2024-38720 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in EazyDocs eazydocs allows Stored XSS.This issue affects EazyDocs: from n/a through 2.5.0. -- Jul 22, 2024 n/a
CVE-2024-38718 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in clicklabs® Medienagentur Download Button for Elementor allows Stored XSS.This issue affects Download Button for Elementor: from n/a through 1.2.1. -- Jul 22, 2024 n/a
CVE-2024-38713 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Stored XSS.This issue affects WP Photo Album Plus: from n/a through 8.8.02.002. -- Jul 22, 2024 n/a
CVE-2024-38712 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Qode Interactive Qi Blocks allows Stored XSS.This issue affects Qi Blocks: from n/a through 1.3. -- Jul 22, 2024 n/a
CVE-2024-38711 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Yannick Lefebvre Link Library allows Reflected XSS.This issue affects Link Library: from n/a through 7.7.1. -- Jul 22, 2024 n/a
CVE-2024-38710 Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Jewel Theme Master Addons for Elementor allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through 2.0.6.2. -- Jul 22, 2024 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online