Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 101888 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2022-34328 PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php. MEDIUM Jun 23, 2022 n/a
CVE-2022-34305 In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. MEDIUM Jun 23, 2022 n/a
CVE-2022-34300 In tinyexr 1.0.1, there is a heap-based buffer over-read in tinyexr::DecodePixelData. MEDIUM Jun 23, 2022 n/a
CVE-2022-34299 There is a heap-based buffer over-read in libdwarf 0.4.0. This issue is related to dwarf_global_formref_b. MEDIUM Jun 23, 2022 n/a
CVE-2022-34213 Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. MEDIUM Jun 23, 2022 n/a
CVE-2022-34211 A cross-site request forgery (CSRF) vulnerability in Jenkins vRealize Orchestrator Plugin 3.0 and earlier allows attackers to send an HTTP POST request to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34210 A missing permission check in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34209 A cross-site request forgery (CSRF) vulnerability in Jenkins ThreadFix Plugin 1.5.4 and earlier allows attackers to connect to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34208 A missing permission check in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34207 A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34206 A missing permission check in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34205 A cross-site request forgery (CSRF) vulnerability in Jenkins Jianliao Notification Plugin 1.1 and earlier allows attackers to send HTTP POST requests to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34204 A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. MEDIUM Jun 23, 2022 n/a
CVE-2022-34203 A cross-site request forgery (CSRF) vulnerability in Jenkins EasyQA Plugin 1.0 and earlier allows attackers to connect to an attacker-specified HTTP server. MEDIUM Jun 23, 2022 n/a
CVE-2022-34202 Jenkins EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. MEDIUM Jun 23, 2022 n/a
CVE-2022-34201 A missing permission check in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34200 A cross-site request forgery (CSRF) vulnerability in Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier allows attackers to connect to an attacker-specified URL. MEDIUM Jun 23, 2022 n/a
CVE-2022-34199 Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. MEDIUM Jun 23, 2022 n/a
CVE-2022-34182 Jenkins Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters, resulting in a reflected cross-site scripting (XSS) vulnerability. MEDIUM Jun 23, 2022 n/a
CVE-2022-34181 Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn\'t exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory. MEDIUM Jun 23, 2022 n/a
CVE-2022-34180 Jenkins Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for unprotected status badge access, allowing attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build. MEDIUM Jun 23, 2022 n/a
CVE-2022-34179 Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system. MEDIUM Jun 23, 2022 n/a
CVE-2022-34178 Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a \'link\' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability. MEDIUM Jun 23, 2022 n/a
CVE-2022-34177 Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. MEDIUM Jun 23, 2022 n/a
CVE-2022-34175 Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view. MEDIUM Jun 23, 2022 n/a
CVE-2022-34174 In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. MEDIUM Jun 23, 2022 n/a
CVE-2022-34173 In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. MEDIUM Jun 23, 2022 n/a
CVE-2022-34172 In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of \'tooltip\' parameters, resulting in a cross-site scripting (XSS) vulnerability. MEDIUM Jun 23, 2022 n/a
CVE-2022-34171 In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the \'title\' attribute of \'l:ionicon\' (until Jenkins 2.334) and \'alt\' attribute of \'l:icon\' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability. MEDIUM Jun 23, 2022 n/a
CVE-2022-34170 In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. MEDIUM Jun 23, 2022 n/a
CVE-2022-34013 OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Logo parameter under the Link module. MEDIUM Jun 23, 2022 n/a
CVE-2022-34012 Insecure permissions in OneBlog v2.3.4 allows low-level administrators to reset the passwords of high-level administrators who hold greater privileges. MEDIUM Jun 23, 2022 n/a
CVE-2022-34011 OneBlog v2.3.4 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the parameter entryUrls. MEDIUM Jun 23, 2022 n/a
CVE-2022-33995 A path traversal issue in entry attachments in Devolutions Remote Desktop Manager before 2022.2 allows attackers to create or overwrite files in an arbitrary location. MEDIUM Jun 21, 2022 n/a
CVE-2022-33913 In Mahara 21.04 before 21.04.6, 21.10 before 21.10.4, and 22.04.2, files can sometimes be downloaded through thumb.php with no permission check. MEDIUM Jun 21, 2022 n/a
CVE-2022-33139 A vulnerability has been identified in SIMATIC WinCC OA V3.16 (All versions in default configuration), SIMATIC WinCC OA V3.17 (All versions in non-default configuration), SIMATIC WinCC OA V3.18 (All versions in non-default configuration). Affected applications use client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated. MEDIUM Jun 21, 2022 n/a
CVE-2022-33124 ** DISPUTED ** AIOHTTP 3.8.1 can report a ValueError: Invalid IPv6 URL outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application. MEDIUM Jun 26, 2022 n/a
CVE-2022-33121 A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link. MEDIUM Jun 25, 2022 n/a
CVE-2022-33119 NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via login.php. MEDIUM Jun 21, 2022 n/a
CVE-2022-33114 Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list. MEDIUM Jun 23, 2022 n/a
CVE-2022-33105 Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID. MEDIUM Jun 23, 2022 n/a
CVE-2022-33097 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/campus/campus_job. MEDIUM Jun 23, 2022 n/a
CVE-2022-33096 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/resume/index. MEDIUM Jun 23, 2022 n/a
CVE-2022-33095 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/jobfairol/resumelist. MEDIUM Jun 23, 2022 n/a
CVE-2022-33094 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/job/map. MEDIUM Jun 23, 2022 n/a
CVE-2022-33093 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the key parameter at /freelance/resume_list. MEDIUM Jun 23, 2022 n/a
CVE-2022-33092 74cmsSE v3.5.1 was discovered to contain a SQL injection vulnerability via the keyword parameter at /home/job/index. MEDIUM Jun 23, 2022 n/a
CVE-2022-33070 Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors. MEDIUM Jun 23, 2022 n/a
CVE-2022-33069 Ethereum Solidity v0.8.14 contains an assertion failure via SMTEncoder::indexOrMemberAssignment() at SMTEncoder.cpp. MEDIUM Jun 23, 2022 n/a
CVE-2022-33068 An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors. MEDIUM Jun 23, 2022 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online