Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 193091 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2022-3174 Sensitive Cookie in HTTPS Session Without \'Secure\' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2. -- Sep 15, 2022 n/a
CVE-2022-3175 Missing Custom Error Page in GitHub repository ikus060/rdiffweb prior to 2.4.2. -- Sep 15, 2022 n/a
CVE-2022-3176 There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn\'t handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659 -- Sep 17, 2022 n/a
CVE-2022-3178 Buffer Over-read in GitHub repository gpac/gpac prior to 2.1.0-DEV. -- Sep 12, 2022 n/a
CVE-2022-3179 Weak Password Requirements in GitHub repository ikus060/rdiffweb prior to 2.4.2. -- Sep 15, 2022 n/a
CVE-2022-3181 An Improper Input Validation vulnerability exists in Trihedral VTScada version 12.0.38 and prior. A specifically malformed HTTP request could cause the affected VTScada to crash. Both local area network (LAN)-only and internet facing systems are affected. -- Nov 4, 2022 n/a
CVE-2022-3182 Improper Access Control vulnerability in the Duo SMS two-factor of Devolutions Remote Desktop Manager 2022.2.14 and earlier allows attackers to bypass the application lock. This issue affects: Devolutions Remote Desktop Manager version 2022.2.14 and prior versions. -- Sep 13, 2022 n/a
CVE-2022-3183 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specific function does not sanitize the input provided by the user, which may expose the affected to an OS command injection vulnerability. -- Dec 22, 2022 n/a
CVE-2022-3184 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory. -- Dec 22, 2022 n/a
CVE-2022-3185 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product exposes sensitive data concerning the device. -- Dec 22, 2022 n/a
CVE-2022-3186 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the affected product allows an attacker to access the device’s main management page from the cloud. This feature enables users to remotely connect devices, however, the current implementation permits users to access other device\'s information. -- Dec 22, 2022 n/a
CVE-2022-3187 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where certain PHP pages only validate when a valid connection is established with the database. However, these PHP pages do not verify the validity of a user. Attackers could leverage this lack of verification to read the state of outlets. -- Dec 22, 2022 n/a
CVE-2022-3188 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where unauthenticated users could open PHP index pages without authentication and download the history file from the device; the history file includes the latest actions completed by specific users. -- Dec 22, 2022 n/a
CVE-2022-3189 Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where a specially crafted PHP script could use parameters from a HTTP request to create a URL capable of changing the host parameter. The changed host parameter in the HTTP could point to another host that will send a request to the host or IP specified in the changed host parameter. -- Dec 22, 2022 n/a
CVE-2022-3190 Infinite loop in the F5 Ethernet Trailer protocol dissector in Wireshark 3.6.0 to 3.6.7 and 3.4.0 to 3.4.15 allows denial of service via packet injection or crafted capture file -- Sep 14, 2022 n/a
CVE-2022-3191 Insertion of Sensitive Information into Log File vulnerability in Hitachi Ops Center Analyzer on Linux (Virtual Strage Software Agent component) allows local users to gain sensitive information. This issue affects Hitachi Ops Center Analyzer: from 10.8.1-00 before 10.9.0-00 -- Nov 2, 2022 n/a
CVE-2022-3192 Improper Input Validation vulnerability in ABB AC500 V2 PM5xx allows Client-Server Protocol Manipulation.This issue affects AC500 V2: from 2.0.0 before 2.8.6. -- Mar 31, 2023 n/a
CVE-2022-3193 An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter error_description fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages. -- Sep 29, 2022 n/a
CVE-2022-3194 The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators. -- Jan 16, 2024 n/a
CVE-2022-3195 Out of bounds write in Storage in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) -- Sep 19, 2022 n/a
CVE-2022-3196 Use after free in PDF in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) -- Sep 19, 2022 n/a
CVE-2022-3197 Use after free in PDF in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) -- Sep 19, 2022 n/a
CVE-2022-3198 Use after free in PDF in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) -- Sep 19, 2022 n/a
CVE-2022-3199 Use after free in Frames in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) -- Sep 19, 2022 n/a
CVE-2022-3200 Heap buffer overflow in Internals in Google Chrome prior to 105.0.5195.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) -- Sep 19, 2022 n/a
CVE-2022-3201 Insufficient validation of untrusted input in DevTools in Google Chrome on Chrome OS prior to 105.0.5195.125 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High) -- Sep 19, 2022 n/a
CVE-2022-3202 A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journaled File System (JFS)in the Linux kernel. This could allow a local attacker to crash the system or leak kernel internal information. -- Sep 16, 2022 n/a
CVE-2022-3203 On ORing net IAP-420(+) with FW version 2.0m a telnet server is enabled by default and cannot permanently be disabled. You can connect to the device via LAN or WiFi with hardcoded credentials and get an administrative shell. These credentials are reset to defaults with every reboot. -- Oct 21, 2022 n/a
CVE-2022-3204 A vulnerability named \'Non-Responsive Delegation Attack\' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From version 1.16.3 on, Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records. -- Sep 22, 2022 n/a
CVE-2022-3205 Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection -- Sep 17, 2022 n/a
CVE-2022-3206 The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named passster using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked. -- Oct 20, 2022 n/a
CVE-2022-3207 The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) -- Oct 12, 2022 n/a
CVE-2022-3208 The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it\'s content via a CSRF attack. -- Oct 13, 2022 n/a
CVE-2022-3209 The soledad WordPress theme before 8.2.5 does not sanitise the {id,datafilter[type],...} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. -- Oct 12, 2022 n/a
CVE-2022-3210 This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the xupnpd service, which listens on TCP port 4044 by default. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-15905. -- Mar 30, 2023 n/a
CVE-2022-3211 Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.6. -- Sep 18, 2022 n/a
CVE-2022-3212 <bytes::Bytes as axum_core::extract::FromRequest>::from_request would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a very large (or infinite) body your server might run out of memory and crash. This also applies to these extractors which used Bytes::from_request internally: axum::extract::Form axum::extract::Json String -- Sep 16, 2022 n/a
CVE-2022-3213 A heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service. -- Sep 21, 2022 n/a
CVE-2022-3214 Delta Industrial Automation\'s DIAEnergy, an industrial energy management system, is vulnerable to CWE-798, Use of Hard-coded Credentials. Versions prior to  1.9.03.009 have this vulnerability. Executable files could be uploaded to certain directories using hard-coded bearer authorization, allowing remote code execution. -- Sep 16, 2022 n/a
CVE-2022-3215 NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and inject those newlines into the returned HTTP response. This capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely false responses or other new headers. The injected false responses may also be treated as the response to subsequent requests, which can lead to XSS, cache poisoning, and a number of other flaws. This issue was resolved by adding validation to the HTTPHeaders type, ensuring that there\'s no whitespace incorrectly present in the HTTP headers provided by users. As the existing API surface is non-failable, all invalid characters are replaced by linear whitespace. -- Sep 30, 2022 n/a
CVE-2022-3216 A vulnerability has been found in Nintendo Game Boy Color and classified as problematic. This vulnerability affects unknown code of the component Mobile Adapter GB. The manipulation leads to memory corruption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-208606 is the identifier assigned to this vulnerability. -- Sep 17, 2022 n/a
CVE-2022-3217 When logging in to a VBASE runtime project via Web-Remote, the product uses XOR with a static initial key to obfuscate login messages. An unauthenticated remote attacker with the ability to capture a login session can obtain the login credentials. -- Sep 17, 2022 n/a
CVE-2022-3218 Due to a reliance on client-side authentication, the WiFi Mouse (Mouse Server) from Necta LLC\'s authentication mechanism is trivially bypassed, which can result in remote code execution. -- Sep 21, 2022 n/a
CVE-2022-3219 GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. -- Feb 23, 2023 n/a
CVE-2022-3220 The Advanced Comment Form WordPress plugin before 1.2.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. -- Oct 12, 2022 n/a
CVE-2022-3221 Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.3. -- Sep 18, 2022 n/a
CVE-2022-3222 Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV. -- Sep 15, 2022 n/a
CVE-2022-3223 Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1. -- Sep 16, 2022 n/a
CVE-2022-3224 Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0. -- Sep 17, 2022 n/a
CVE-2022-3225 Improper Control of Dynamically-Managed Code Resources in GitHub repository budibase/budibase prior to 1.3.20. -- Sep 16, 2022 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online