Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 43765 entries
IDDescriptionPriorityModified dateFixed Release
CVE-1999-0095 The debug command in Sendmail is enabled, allowing attackers to execute commands as root. HIGH Jun 11, 2019 -- (VxWorks 7)
CVE-1999-0145 Sendmail WIZ command enabled, allowing root access. HIGH Jun 11, 2019 -- (VxWorks 7)
CVE-1999-1170 IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the \"flags\" registry key to 1920. MEDIUM Aug 13, 2019 -- (VxWorks 7)
CVE-1999-1171 IPswitch WS_FTP allows local users to gain additional privileges and modify or add mail accounts by setting the \"flags\" registry key to 1920. MEDIUM Aug 13, 2019 -- (VxWorks 7)
CVE-1999-1593 Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. NOTE: this problem may be limited when Windows 95/98 clients are used, or if the primary domain controller becomes unavailable. LOW Jan 15, 2009 -- (VxWorks 7)
CVE-2000-1247 The default configuration of the jserv-status handler in jserv.conf in Apache JServ 1.1.2 includes an allow from 127.0.0.1 line, which allows local users to discover JDBC passwords or other sensitive information via a direct request to the jserv/ URI. LOW Oct 5, 2011 -- (VxWorks 7)
CVE-2001-1021 Buffer overflows in WS_FTP 2.02 allow remote attackers to execute arbitrary code via long arguments to (1) DELE, (2) MDTM, (3) MLST, (4) MKD, (5) RMD, (6) RNFR, (7) RNTO, (8) SIZE, (9) STAT, (10) XMKD, or (11) XRMD. HIGH Aug 13, 2019 -- (VxWorks 7)
CVE-2002-0390 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-0639. Reason: This candidate is a reservation duplicate of CVE-2002-0639. Notes: All CVE users should reference CVE-2002-0639 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. -- Jul 21, 2019 -- (VxWorks 7)
CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the IP Identification field at 0 for all non-fragmented packets, which could allow remote attackers to determine that a target system is running Linux. LOW Sep 5, 2008 -- (VxWorks 7)
CVE-2002-0826 Buffer overflow in WS_FTP FTP Server 3.1.1 allows remote authenticated users to execute arbitrary code via a long SITE CPWD command. HIGH Aug 13, 2019 -- (VxWorks 7)
CVE-2003-0367 znew in the gzip package allows local users to overwrite arbitrary files via a symlink attack on temporary files. LOW May 23, 2019 -- (VxWorks 7)
CVE-2003-0772 Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments. HIGH Aug 13, 2019 -- (VxWorks 7)
CVE-2003-1605 curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server. -- Aug 23, 2018 -- (VxWorks 7)
CVE-2004-0281 Caucho Technology Resin 2.1.12 allows remote attackers to gain sensitive information and view the contents of the /WEB-INF/ directory via an HTTP request for \"WEB-INF..\", which is equivalent to \"WEB-INF\" in Windows. MEDIUM Jun 12, 2019 -- (VxWorks 7)
CVE-2004-1179 The debstd script in debmake 3.6.x before 3.6.10 and 3.7.x before 3.7.7 allows local users to overwrite arbitrary files via a symlink attack on temporary directories. LOW Jul 31, 2019 -- (VxWorks 7)
CVE-2004-1643 WS_FTP 5.0.2 allows remote authenticated users to cause a denial of service (CPU consumption) via a CD command that contains an invalid path with a \"../\" sequence. MEDIUM Aug 13, 2019 -- (VxWorks 7)
CVE-2004-1848 Ipswitch WS_FTP Server 4.0.2 allows remote attackers to cause a denial of service (disk consumption) and bypass file size restrictions via a REST command with a large size argument, followed by a STOR of a smaller file. MEDIUM Aug 13, 2019 -- (VxWorks 7)
CVE-2004-1883 Multiple buffer overflows in Ipswitch WS_FTP Server 4.0.2 (1) allow remote authenticated users to execute arbitrary code by causing a large error string to be generated by the ALLO handler, or (2) may allow remote FTP administrators to execute arbitrary code by causing a long hostname or username to be inserted into a reply to a STAT command while a file is being transferred. HIGH Aug 13, 2019 -- (VxWorks 7)
CVE-2004-1884 Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with a default password, which allows remote attackers to gain access. HIGH Aug 13, 2019 -- (VxWorks 7)
CVE-2004-1885 Ipswitch WS_FTP Server 4.0.2 allows remote authenticated users to execute arbitrary programs as SYSTEM by using the SITE command to modify certain iFtpSvc options that are handled by iftpmgr.exe. HIGH Aug 13, 2019 -- (VxWorks 7)
CVE-2004-2778 Ebuild in Gentoo may change directory and file permissions depending on the order of installed packages, which allows local users to read or write to restricted directories or execute restricted commands via navigating to the affected directories, or executing the affected commands. -- Jun 27, 2017 -- (VxWorks 7)
CVE-2004-2779 id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd number of bytes, triggering an endless loop allocating memory until an OOM condition is reached, leading to denial-of-service (DoS). LOW Feb 20, 2018 -- (VxWorks 7)
CVE-2005-0162 Stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled with XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code. HIGH Jul 29, 2019 -- (VxWorks 7)
CVE-2005-0563 Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL (\"jav&#X41sc
ript:\") in an IMG tag. MEDIUM Jun 1, 2019 -- (VxWorks 7)
CVE-2005-1028 PHP-Nuke 6.x through 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) index.php with the forum_admin parameter set, (2) the Surveys module, or (3) the Your_Account module, which reveals the path in a PHP error message. MEDIUM Jul 16, 2019 -- (VxWorks 7)
CVE-2005-2969 The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. LOW Sep 30, 2016 -- (VxWorks 7)
CVE-2005-3590 The getgrouplist function in the GNU C library (glibc) before version 2.3.5, when invoked with a zero argument, writes to the passed pointer even if the specified array size is zero, leading to a buffer overflow and potentially allowing attackers to corrupt memory. HIGH Apr 11, 2019 -- (VxWorks 7)
CVE-2005-3671 The Internet Key Exchange version 1 (IKEv1) implementation in Openswan 2 (openswan-2) before 2.4.4, and freeswan in SUSE LINUX 9.1 before 2.04_1.5.4-1.23, allow remote attackers to cause a denial of service via (1) a crafted packet using 3DES with an invalid key length, or (2) unspecified inputs when Aggressive Mode is enabled and the PSK is known, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. HIGH Jul 29, 2019 -- (VxWorks 7)
CVE-2005-3979 relocate_server.php in Coppermine Photo Gallery (CPG) 1.4.2 and 1.4 beta is not removed after installation and does not use authentication, which allows remote attackers to obtain sensitive information, such as database configuration, via a direct request. MEDIUM Jul 16, 2019 -- (VxWorks 7)
CVE-2005-4850 eZ publish 3.5 through 3.7 before 20050608 requires both edit and create permissions in order to submit data, which allows remote attackers to edit data submitted by arbitrary anonymous users. MEDIUM Jul 31, 2019 -- (VxWorks 7)
CVE-2005-4851 eZ publish 3.4.4 through 3.7 before 20050722 applies certain permissions on the node level, which allows remote authenticated users to bypass the original permissions on embedded objects in XML fields and read these objects. MEDIUM Jul 31, 2019 -- (VxWorks 7)
CVE-2006-0615 Multiple unspecified vulnerabilities in Sun Java JDK and JRE 5.0 Update 4 and earlier, SDK and JRE 1.4.x through 1.4.2_09 allow remote attackers to bypass Java sandbox security and obtain privileges via unspecified vectors involving the reflection APIs, aka the \"second and third issues.\" MEDIUM Jul 31, 2019 -- (VxWorks 7)
CVE-2006-2937 OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. LOW Sep 30, 2016 -- (VxWorks 7)
CVE-2006-2940 OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification. LOW Sep 30, 2016 -- (VxWorks 7)
CVE-2006-3635 The ia64 subsystem in the Linux kernel before 2.6.26 allows local users to cause a denial of service (stack consumption and system crash) via a crafted application that leverages the mishandling of invalid Register Stack Engine (RSE) state. -- Aug 6, 2017 -- (VxWorks 7)
CVE-2006-3738 Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. LOW Sep 30, 2016 -- (VxWorks 7)
CVE-2006-4111 Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code with \"severe\" or \"serious\" impact via a File Upload request with an HTTP header that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. HIGH Aug 8, 2019 -- (VxWorks 7)
CVE-2006-4112 Unspecified vulnerability in the \"dependency resolution mechanism\" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or \"data loss,\" a different vulnerability than CVE-2006-4111. HIGH Aug 8, 2019 -- (VxWorks 7)
CVE-2006-4339 OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. LOW Sep 30, 2016 -- (VxWorks 7)
CVE-2006-4343 The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. MEDIUM Sep 30, 2016 -- (VxWorks 7)
CVE-2006-4847 Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands. MEDIUM Aug 13, 2019 -- (VxWorks 7)
CVE-2006-4911 Unspecified vulnerability in Cisco IPS 5.0 before 5.0(6p2) and 5.1 before 5.1(2), when running in inline or promiscuous mode, allows remote attackers to bypass traffic inspection via a \"crafted sequence of fragmented IP packets\". HIGH Jul 31, 2019 -- (VxWorks 7)
CVE-2006-5000 Multiple buffer overflows in WS_FTP Server 5.05 before Hotfix 1, and possibly other versions down to 5.0, have unknown impact and remote authenticated attack vectors via the (1) XCRC, (2) XMD5, and (3) XSHA1 commands. NOTE: in the early publication of this identifier on 20060926, the description was used for the wrong issue. MEDIUM Aug 13, 2019 -- (VxWorks 7)
CVE-2006-5001 Unspecified vulnerability in the log analyzer in WS_FTP Server 5.05 before Hotfix 1, and possibly other versions down to 5.0, prevents certain sensitive information from being displayed in the (1) Files and (2) Summary tabs. NOTE: in the early publication of this identifier on 20060926, the description was used for the wrong issue. MEDIUM Aug 13, 2019 -- (VxWorks 7)
CVE-2006-5201 Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and JRE 5.0 Update 8 and earlier, SDK and JRE 1.4.x up to 1.4.2_12, and SDK and JRE 1.3.x up to 1.3.1_19; (3) JSSE 1.0.3_03 and earlier; (4) IPSec/IKE; (5) Secure Global Desktop; and (6) StarOffice, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents these products from correctly verifying X.509 and other certificates that use PKCS #1. MEDIUM Jul 31, 2019 -- (VxWorks 7)
CVE-2006-5331 The altivec_unavailable_exception function in arch/powerpc/kernel/traps.c in the Linux kernel before 2.6.19 on 64-bit systems mishandles the case where CONFIG_ALTIVEC is defined and the CPU actually supports Altivec, but the Altivec support was not detected by the kernel, which allows local users to cause a denial of service (panic) by triggering execution of an Altivec instruction. -- Oct 29, 2017 -- (VxWorks 7)
CVE-2006-5484 SSH Tectia Client/Server/Connector 5.1.0 and earlier, Manager 2.2.0 and earlier, and other products, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents Tectia from correctly verifying X.509 and other certificates that use PKCS #1, a similar issue to CVE-2006-4339. MEDIUM Aug 28, 2019 -- (VxWorks 7)
CVE-2006-6587 Cross-site scripting (XSS) vulnerability in the forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) allows remote attackers to inject arbitrary web script or HTML by posting a message. MEDIUM Jul 17, 2019 -- (VxWorks 7)
CVE-2006-6588 The forum implementation in the ecommerce component in the Apache Open For Business Project (OFBiz) trusts the (1) dataResourceTypeId, (2) contentTypeId, and certain other hidden form fields, which allows remote attackers to create unauthorized types of content, modify content, or have other unknown impact. HIGH Jul 17, 2019 -- (VxWorks 7)
CVE-2006-6589 Cross-site scripting (XSS) vulnerability in ecommerce/control/keywordsearch in the Apache Open For Business Project (OFBiz) and Opentaps 0.9.3 allows remote attackers to inject arbitrary web script or HTML via the SEARCH_STRING parameter, a different issue than CVE-2006-6587. NOTE: some of these details are obtained from third party information. MEDIUM Jul 17, 2019 -- (VxWorks 7)
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online