Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 175990 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2022-22685 Improper limitation of a pathname to a restricted directory (\'Path Traversal\') vulnerability in webapi component in Synology WebDAV Server before 2.4.0-0062 allows remote authenticated users to delete arbitrary files via unspecified vectors. -- Jul 28, 2022 n/a
CVE-2022-22684 Improper neutralization of special elements used in an OS command (\'OS Command Injection\') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors. -- Jul 29, 2022 n/a
CVE-2022-22683 Buffer copy without checking size of input (\'Classic Buffer Overflow\') vulnerability in cgi component in Synology Media Server before 1.8.1-2876 allows remote attackers to execute arbitrary code via unspecified vectors. -- Jul 28, 2022 n/a
CVE-2022-22412 IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could allow a user with access to the local host (client machine) to obtain a login access token. IBM X-Force ID: 223019. -- Jul 26, 2022 n/a
CVE-2022-22280 Improper Neutralization of Special Elements used in an SQL Command leading to Unauthenticated SQL Injection vulnerability, impacting SonicWall GMS 9.3.1-SP2-Hotfix1, Analytics On-Prem 2.5.0.3-2520 and earlier versions. -- Jul 29, 2022 n/a
CVE-2022-21802 The package grapesjs before 0.19.5 are vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of the class name in Selector Manager. -- Jul 27, 2022 n/a
CVE-2022-2579 A vulnerability, which was classified as problematic, was found in SourceCodester Garage Management System 1.0. Affected is an unknown function of the file /php_action/createUser.php. The manipulation of the argument userName with the input lala<img src= onerror=alert(1)> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. -- Jul 29, 2022 n/a
CVE-2022-2578 A vulnerability, which was classified as critical, has been found in SourceCodester Garage Management System 1.0. This issue affects some unknown processing of the file /php_action/createUser.php. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. -- Jul 29, 2022 n/a
CVE-2022-2577 A vulnerability classified as critical was found in SourceCodester Garage Management System 1.0. This vulnerability affects unknown code of the file /edituser.php. The manipulation of the argument id with the input -2\'%20UNION%20select%2011,user(),333,444--+ leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. -- Jul 29, 2022 n/a
CVE-2022-2564 Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. -- Jul 29, 2022 n/a
CVE-2022-2553 The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are not prevented from communicating with other nodes in the cluster. -- Jul 30, 2022 n/a
CVE-2022-2550 OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1.6.5. -- Jul 27, 2022 n/a
CVE-2022-2549 NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1.0-DEV. -- Jul 27, 2022 n/a
CVE-2022-2523 Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2. -- Jul 27, 2022 n/a
CVE-2022-2522 Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061. -- Jul 27, 2022 n/a
CVE-2022-2514 The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim. -- Jul 27, 2022 n/a
CVE-2022-2414 Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests. -- Jul 29, 2022 n/a
CVE-2022-2399 Use after free in WebGPU in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Jul 29, 2022 n/a
CVE-2022-2341 The Simple Page Transition WordPress plugin through 1.4.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) -- Jul 29, 2022 n/a
CVE-2022-2340 The W-DALIL WordPress plugin through 2.0 does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) -- Jul 29, 2022 n/a
CVE-2022-2324 Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. This vulnerability impacts 10.0.17.7319 and earlier versions -- Jul 29, 2022 n/a
CVE-2022-2323 Improper neutralization of special elements used in a user input allows an authenticated malicious user to perform remote code execution in the host system. This vulnerability impacts SonicWall Switch 1.1.1.0-2s and earlier versions -- Jul 29, 2022 n/a
CVE-2022-2313 A DLL hijacking vulnerability in the MA Smart Installer for Windows prior to 5.7.7, which allows local users to execute arbitrary code and obtain higher privileges via careful placement of a malicious DLL into the folder from where the Smart installer is being executed. -- Jul 27, 2022 n/a
CVE-2022-2310 An authentication bypass vulnerability in Skyhigh SWG in main releases 10.x prior to 10.2.12, 9.x prior to 9.2.23, 8.x prior to 8.2.28, and controlled release 11.x prior to 11.2.1 allows a remote attacker to bypass authentication into the administration User Interface. This is possible because of SWG incorrectly whitelisting authentication bypass methods and using a weak crypto password. This can lead to the attacker logging into the SWG admin interface, without valid credentials, as the super user with complete control over the SWG. -- Jul 27, 2022 n/a
CVE-2022-2299 The Allow SVG Files WordPress plugin through 1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads -- Jul 29, 2022 n/a
CVE-2022-2240 The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it -- Jul 29, 2022 n/a
CVE-2022-2239 The Request a Quote WordPress plugin before 2.3.9 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. -- Jul 29, 2022 n/a
CVE-2022-2225 By using warp-cli subcommands (disable-ethernet, disable-wifi), it was possible for a user without admin privileges to bypass configured Zero Trust security policies (e.g. Secure Web Gateway policies) and features such as \'Lock WARP switch\'. -- Jul 26, 2022 n/a
CVE-2022-2219 The Unyson WordPress plugin before 2.7.27 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting -- Jul 29, 2022 n/a
CVE-2022-2189 The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER[\'REQUEST_URI\'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers -- Jul 29, 2022 n/a
CVE-2022-2131 OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack. -- Jul 25, 2022 n/a
CVE-2022-2115 The Popup Anything WordPress plugin before 2.1.7 does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting -- Jul 29, 2022 n/a
CVE-2022-2072 The Name Directory WordPress plugin before 1.25.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well -- Jul 29, 2022 n/a
CVE-2022-2071 The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. -- Jul 29, 2022 n/a
CVE-2022-2059 In Pandora FMS v7.0NG.761 and below, in the agent creation section, the alias parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system. -- Jul 25, 2022 n/a
CVE-2022-2032 In Pandora FMS v7.0NG.761 and below, in the file manager section, the dirname parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system. -- Jul 25, 2022 n/a
CVE-2022-2031 A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other\'s tickets. A user who has been requested to change their password, can exploit this flaw to obtain and use tickets to other services. -- Jul 28, 2022 n/a
CVE-2022-1948 An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details. -- Jul 28, 2022 n/a
CVE-2022-1919 Use after free in Codecs in Google Chrome prior to 101.0.4951.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Jul 28, 2022 n/a
CVE-2022-1805 When connecting to Amazon Workspaces, the SHA256 presented by AWS connection provisioner is not fully verified by Zero Clients. The issue could be exploited by an adversary that places a MITM (Man in the Middle) between a zero client and AWS session provisioner in the network. This issue is only applicable when connecting to an Amazon Workspace from a PCoIP Zero Client. -- Jul 28, 2022 n/a
CVE-2022-1799 Incorrect signature trust exists within Google Play services SDK play-services-basement. A debug version of Google Play services is trusted by the SDK for devices that are non-GMS. We recommend upgrading the SDK past the 2022-05-03 release. -- Jul 29, 2022 n/a
CVE-2022-1648 Pandora FMS v7.0NG.760 and below allows a relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to a Remote Code Execution with running application privilege. -- Jul 26, 2022 n/a
CVE-2022-1615 In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. -- Aug 1, 2022 n/a
CVE-2022-1551 The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users\' sensitive files. -- Jul 29, 2022 n/a
CVE-2022-1539 The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks. -- Jul 29, 2022 n/a
CVE-2022-1277 Inavitas Solar Log product has an unauthenticated SQL Injection vulnerability. -- Jul 29, 2022 n/a
CVE-2022-1232 Type confusion in V8 in Google Chrome prior to 100.0.4896.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. -- Jul 27, 2022 n/a
CVE-2022-1042 In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. -- Jul 26, 2022 n/a
CVE-2022-1041 In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning. -- Jul 26, 2022 n/a
CVE-2022-0899 The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting. -- Jul 29, 2022 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online