Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 193735 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2022-3031 An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user\'s password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account. -- Oct 19, 2022 n/a
CVE-2022-3032 When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. -- Dec 22, 2022 n/a
CVE-2022-3033 If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv=refresh</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn\'t affect users who have changed the default Message Body display setting to \'simple html\' or \'plain text\'. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. -- Dec 22, 2022 n/a
CVE-2022-3034 When receiving an HTML email that specified to load an <code>iframe</code> element from a remote location, a request to the remote document was sent. However, Thunderbird didn\'t display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. -- Dec 22, 2022 n/a
CVE-2022-3035 Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-it prior to v6.0.11. -- Sep 1, 2022 n/a
CVE-2022-3036 The Gettext override translations WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) -- Sep 21, 2022 n/a
CVE-2022-3037 Use After Free in GitHub repository vim/vim prior to 9.0.0322. -- Sep 1, 2022 n/a
CVE-2022-3038 Use after free in Network Service in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3039 Use after free in WebSQL in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3040 Use after free in Layout in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3041 Use after free in WebSQL in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3042 Use after free in PhoneHub in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3043 Heap buffer overflow in Screen Capture in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3044 Inappropriate implementation in Site Isolation in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3045 Insufficient validation of untrusted input in V8 in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3046 Use after free in Browser Tag in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3047 Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3048 Inappropriate implementation in Chrome OS lockscreen in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a local attacker to bypass lockscreen navigation restrictions via physical access to the device. -- Sep 5, 2022 n/a
CVE-2022-3049 Use after free in SplitScreen in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3050 Heap buffer overflow in WebUI in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interactions. -- Sep 5, 2022 n/a
CVE-2022-3051 Heap buffer overflow in Exosphere in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interactions. -- Sep 5, 2022 n/a
CVE-2022-3052 Heap buffer overflow in Window Manager in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interactions. -- Sep 5, 2022 n/a
CVE-2022-3053 Inappropriate implementation in Pointer Lock in Google Chrome on Mac prior to 105.0.5195.52 allowed a remote attacker to restrict user navigation via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3054 Insufficient policy enforcement in DevTools in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3055 Use after free in Passwords in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3056 Insufficient policy enforcement in Content Security Policy in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to bypass content security policy via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3057 Inappropriate implementation in iframe Sandbox in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to leak cross-origin data via a crafted HTML page. -- Sep 5, 2022 n/a
CVE-2022-3058 Use after free in Sign-In Flow in Google Chrome prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interaction. -- Sep 5, 2022 n/a
CVE-2022-3059 The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database. -- Nov 3, 2022 n/a
CVE-2022-3060 Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests -- Oct 19, 2022 n/a
CVE-2022-3061 Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn\'t check the value of \'pixclock\', so it may cause a divide by zero error. -- Sep 1, 2022 n/a
CVE-2022-3062 The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting -- Sep 27, 2022 n/a
CVE-2022-3063 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage -- Nov 7, 2023 n/a
CVE-2022-3064 Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. -- Dec 28, 2022 n/a
CVE-2022-3065 Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8. -- Sep 3, 2022 n/a
CVE-2022-3066 An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project. -- Oct 19, 2022 n/a
CVE-2022-3067 An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitrary projects\' content given the project\'s ID. -- Oct 19, 2022 n/a
CVE-2022-3068 Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3. -- Sep 22, 2022 n/a
CVE-2022-3069 The WordLift WordPress plugin before 3.37.2 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. -- Sep 27, 2022 n/a
CVE-2022-3070 The Generate PDF WordPress plugin before 3.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. -- Sep 27, 2022 n/a
CVE-2022-3071 Use after free in Tab Strip in Google Chrome on Chrome OS, Lacros prior to 105.0.5195.52 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via crafted UI interaction. -- Sep 4, 2022 n/a
CVE-2022-3072 Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 8.9.3. -- Sep 2, 2022 n/a
CVE-2022-3073 Quanos SCHEMA ST4 example web templates in version Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 or below are prone to JavaScript injection allowing a remote attacker to hijack existing sessions to e.g. other web services in the same environment or execute scripts in the users browser environment. The affected script is \'*-schema.js\'. -- Dec 16, 2022 n/a
CVE-2022-3074 The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. -- Sep 27, 2022 n/a
CVE-2022-3075 Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. -- Sep 4, 2022 n/a
CVE-2022-3076 The CM Download Manager WordPress plugin before 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin\'s setting, which could be used by admins of multisite blog to upload PHP files for example. -- Sep 27, 2022 n/a
CVE-2022-3077 A buffer overflow vulnerability was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way it handled the I2C_SMBUS_BLOCK_PROC_CALL case (via the ioctl I2C_SMBUS) with malicious input data. This flaw could allow a local user to crash the system. -- Sep 9, 2022 n/a
CVE-2022-3078 An issue was discovered in the Linux kernel through 5.16-rc6. There is a lack of check after calling vzalloc() and lack of free after allocation in drivers/media/test-drivers/vidtv/vidtv_s302m.c. -- Sep 2, 2022 n/a
CVE-2022-3079 Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service. -- Sep 21, 2022 n/a
CVE-2022-3080 By sending specific queries to the resolver, an attacker can cause named to crash. -- Sep 25, 2022 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online