Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 107763 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2022-27920 libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver functionality via the search suggestions URL parameter. This is fixed in 10.1.0. MEDIUM Mar 25, 2022 n/a
CVE-2022-27924 Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 allows an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. These memcache commands becomes unescaped, causing an overwrite of arbitrary cached entries. MEDIUM Apr 21, 2022 n/a
CVE-2022-27925 Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal. MEDIUM Apr 21, 2022 n/a
CVE-2022-27926 A reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters. MEDIUM Apr 21, 2022 n/a
CVE-2022-27927 A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable course_code and/or customer_number parameter. HIGH Apr 19, 2022 n/a
CVE-2022-27928 Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol. MEDIUM Jul 17, 2022 n/a
CVE-2022-27929 Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP. MEDIUM Jul 17, 2022 n/a
CVE-2022-27930 Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed. MEDIUM Jul 17, 2022 n/a
CVE-2022-27931 Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol. MEDIUM Jul 17, 2022 n/a
CVE-2022-27932 Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join. MEDIUM Jul 17, 2022 n/a
CVE-2022-27933 Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join. MEDIUM Jul 17, 2022 n/a
CVE-2022-27934 Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP. MEDIUM Jul 17, 2022 n/a
CVE-2022-27935 Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth. MEDIUM Jul 17, 2022 n/a
CVE-2022-27936 Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323. MEDIUM Jul 17, 2022 n/a
CVE-2022-27937 Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264. MEDIUM Jul 17, 2022 n/a
CVE-2022-27938 stb_image.h (aka the stb image loader) 2.19, as used in libsixel and other products, has a reachable assertion in stbi__create_png_image_raw. MEDIUM Mar 26, 2022 n/a
CVE-2022-27939 tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in get_layer4_v6 in common/get.c. MEDIUM Mar 26, 2022 n/a
CVE-2022-27940 tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_ipv6_next in common/get.c. MEDIUM Mar 26, 2022 n/a
CVE-2022-27941 tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer over-read in get_l2len_protocol in common/get.c. MEDIUM Mar 26, 2022 n/a
CVE-2022-27942 tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read in parse_mpls in common/get.c. MEDIUM Mar 26, 2022 n/a
CVE-2022-27943 libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new. MEDIUM Mar 26, 2022 n/a
CVE-2022-27944 Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow an exportXFAData NULL pointer dereference. -- Aug 7, 2022 n/a
CVE-2022-27945 NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi. HIGH Mar 26, 2022 n/a
CVE-2022-27946 NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to admin_account.cgi. HIGH Mar 26, 2022 n/a
CVE-2022-27947 NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the ipv6_fix.cgi ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, or ipv6_lan_length parameter. HIGH Mar 26, 2022 n/a
CVE-2022-27948 ** DISPUTED ** Certain Tesla vehicles through 2022-03-26 allow attackers to open the charging port via a 315 MHz RF signal containing a fixed sequence of approximately one hundred symbols. NOTE: the vendor\'s perspective is that the behavior is as intended. LOW Mar 27, 2022 n/a
CVE-2022-27950 In drivers/hid/hid-elo.c in the Linux kernel before 5.16.11, a memory leak exists for a certain hid_parse error condition. LOW Apr 5, 2022 n/a
CVE-2022-27952 An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file. HIGH Apr 12, 2022 n/a
CVE-2022-27958 Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users\' personal information. MEDIUM Apr 10, 2022 n/a
CVE-2022-27960 Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users\' personal information. MEDIUM Apr 10, 2022 n/a
CVE-2022-27961 A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box. LOW Apr 10, 2022 n/a
CVE-2022-27962 Bluecms 1.6 has a SQL injection vulnerability at cooike. HIGH May 3, 2022 n/a
CVE-2022-27963 Xftp 7.0.0088p and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. MEDIUM Apr 1, 2022 n/a
CVE-2022-27964 Xmanager v7.0.0096 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. MEDIUM Apr 1, 2022 n/a
CVE-2022-27965 Xlpd v7.0.0094 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. MEDIUM Apr 1, 2022 n/a
CVE-2022-27966 Xshell v7.0.0099 and below contains a binary hijack vulnerability which allows attackers to execute arbitrary code via a crafted .exe file. MEDIUM Apr 1, 2022 n/a
CVE-2022-27967 Cynet 360 Web Portal before v4.5 was discovered to allow attackers to access a list of excluded files and profiles via a crafted GET request sent to /WebApp/SettingsExclusion/GetExclusionsProfiles. -- Sep 12, 2022 n/a
CVE-2022-27968 Cynet 360 Web Portal before v4.5 was discovered to allow attackers to access a list of monitored files and profiles via a crafted GET request sent to /WebApp/SettingsFileMonitor/GetFileMonitorProfiles. -- Sep 12, 2022 n/a
CVE-2022-27969 Cynet 360 Web Portal before v4.5 was discovered to allow attackers to access a list of decoy users via a crafted GET request sent to /WebApp/DeceptionUser/GetAllDeceptionUsers. -- Sep 12, 2022 n/a
CVE-2022-27982 RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain a remote code execution (RCE) vulnerability via the fileName parameter at /guest_auth/cfg/upLoadCfg.php. HIGH May 2, 2022 n/a
CVE-2022-27983 RG-NBR-E Enterprise Gateway RG-NBR2100G-E was discovered to contain an arbitrary file read vulnerability via the url parameter in check.php. MEDIUM May 2, 2022 n/a
CVE-2022-27984 CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via the menu_filter parameter at /administrator/templates/default/html/windows/right.php. HIGH May 5, 2022 n/a
CVE-2022-27985 CuppaCMS v1.0 was discovered to contain a SQL injection vulnerability via /administrator/alerts/alertLightbox.php. HIGH May 5, 2022 n/a
CVE-2022-27991 Online Banking System in PHP v1 was discovered to contain multiple SQL injection vulnerabilities at /staff_login.php via the Staff ID and Staff Password parameters. MEDIUM Apr 8, 2022 n/a
CVE-2022-27992 Zoo Management System v1.0 was discovered to contain a SQL injection vulnerability at /public_html/animals via the class_id parameter. MEDIUM Apr 8, 2022 n/a
CVE-2022-28000 Car Rental System v1.0 was discovered to contain a SQL injection vulnerability at /Car_Rental/booking.php via the id parameter. MEDIUM Apr 8, 2022 n/a
CVE-2022-28001 Movie Seat Reservation v1 was discovered to contain a SQL injection vulnerability at /index.php?page=reserve via the id parameter. HIGH Apr 8, 2022 n/a
CVE-2022-28002 Movie Seat Reservation v1 was discovered to contain an unauthenticated file disclosure vulnerability via /index.php?page=home. MEDIUM Apr 8, 2022 n/a
CVE-2022-28005 An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server, leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\\SYSTEM on Windows installations. Versions prior to version 18, Hotfix 1 Build 18.0.3.461 March 2022, are prone to an additional unauthenticated file system access to C:\\Windows\\System32. MEDIUM May 6, 2022 n/a
CVE-2022-28006 Attendance and Payroll System v1.0 was discovered to contain a SQL injection vulnerability via the component \\admin\\employee_delete.php. MEDIUM Apr 23, 2022 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online