Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 55496 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2016-1550 An exploitable vulnerability exists in the message authentication functionality of Network Time Protocol libntp. An attacker can send a series of crafted messages to attempt to recover the message digest key. MEDIUM Jun 12, 2016 ntp-1.2.0.2 (VxWorks 7)
CVE-2016-1549 ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim\'s clock. MEDIUM Jun 12, 2016 ntp-1.2.0.2 (VxWorks 7)
CVE-2016-1548 ntpd supports an interleaved mode to allow the protocol to exchange transmit timestamps that were captured after the packet was sent in symmetric associations and broadcast modes. It can be enabled in the configuration file, but it\'s also enabled automatically when a packet received from the source is detected to be in the interleaved mode. The detection compares the origin timestamp in the packet to the previous local receive timestamp. The interleaved mode is enabled even in client associations, even though it makes no sense there. MEDIUM Jun 12, 2016 ntp-1.2.0.2 (VxWorks 7)
CVE-2016-1547 An off-path attacker can cause a preemptable client association to be demobilized by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. Furthermore, if the attacker keeps sending crypto NAK packets, for example every one second, the victim never has a chance to reestablish the association and synchronize time with the legitimate server. MEDIUM Jun 12, 2016 ntp-1.2.0.2 (VxWorks 7)
CVE-2016-1544 nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion). LOW Feb 10, 2020 -- (VxWorks 7)
CVE-2016-1520 The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1519 The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1518 The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1517 OpenCV 3.0.0 allows remote attackers to cause a denial of service (segfault) via vectors involving corrupt chunks. MEDIUM Apr 9, 2017 -- (VxWorks 7)
CVE-2016-1516 OpenCV 3.0.0 has a double free issue that allows attackers to execute arbitrary code. MEDIUM Apr 9, 2017 -- (VxWorks 7)
CVE-2016-1515 A use-after-free / double-free vulnerability can occur in libebml master branch while parsing Track elements of the MKV container. -- Jan 10, 2017 -- (VxWorks 7)
CVE-2016-1514 A specially crafted unicode string in libebml master branch can cause an off-by-few read on the heap in unicode string parsing code in libebml. This issue can potentially be used for information leaks. -- Jan 10, 2017 -- (VxWorks 7)
CVE-2016-1504 dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related to the option length. MEDIUM Feb 7, 2017 -- (VxWorks 7)
CVE-2016-1502 NetApp SnapCenter Server 1.0 and 1.0P1 allows remote attackers to partially bypass authentication and then list and delete backups via unspecified vectors. HIGH Feb 7, 2017 -- (VxWorks 7)
CVE-2016-1487 Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons Collections Library, leading to remote code execution because of Java deserialization. MEDIUM Mar 10, 2020 -- (VxWorks 7)
CVE-2016-1486 A vulnerability in the email attachment scanning functionality of the Advanced Malware Protection (AMP) feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to cause an affected device to stop scanning and forwarding email messages due to a denial of service (DoS) condition. Affected Products: This vulnerability affects Cisco AsyncOS Software releases 9.7.1 and later, prior to the first fixed release, for both virtual and hardware Cisco Email Security Appliances, if the AMP feature is configured to scan incoming email attachments. More Information: CSCuy99453. Known Affected Releases: 9.7.1-066. Known Fixed Releases: 10.0.0-125 9.7.1-207 9.7.2-047. HIGH Oct 28, 2016 -- (VxWorks 7)
CVE-2016-1481 A vulnerability in the email message filtering feature of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.Affected Products: This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for Cisco Email Security Appliances, both virtual and hardware appliances, if the software is configured to apply a message filter that contains certain rules. More Information: CSCux59873. Known Affected Releases: 8.5.6-106 9.1.0-032 9.7.0-125. Known Fixed Releases: 9.1.1-038 9.7.1-066. HIGH Oct 28, 2016 -- (VxWorks 7)
CVE-2016-1480 A vulnerability in the Multipurpose Internet Mail Extensions (MIME) scanner of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to bypass configured user filters on the device. Affected Products: all releases prior to the first fixed release of Cisco AsyncOS Software for Cisco ESA and Cisco WSA, both virtual and hardware appliances, if the software is configured with message or content filters to scan incoming email attachments. More Information: CSCuw03606, CSCux59734. Known Affected Releases: 8.0.0-000 8.5.6-106 9.0.0-000 9.1.0-032 9.6.0-042 9.5.0-444 WSA10.0.0-000. Known Fixed Releases: 9.1.1-038 9.7.1-066. MEDIUM Oct 28, 2016 -- (VxWorks 7)
CVE-2016-1423 A vulnerability in the display of email messages in the Messages in Quarantine (MIQ) view in Cisco AsyncOS for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause a user to click a malicious link in the MIQ view. The malicious link could be used to facilitate a cross-site scripting (XSS) or HTML injection attack. More Information: CSCuz02235. Known Affected Releases: 8.0.2-069. Known Fixed Releases: 9.1.1-038 9.7.2-047. MEDIUM Oct 28, 2016 -- (VxWorks 7)
CVE-2016-1417 Untrusted search path vulnerability in Snort 2.9.7.0-WIN32 allows remote attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse tcapi.dll that is located in the same folder on a remote file share as a pcap file that is being processed. MEDIUM Jan 27, 2017 -- (VxWorks 7)
CVE-2016-1411 A vulnerability in the update functionality of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Content Management Security Appliance (SMA) could allow an unauthenticated, remote attacker to impersonate the update server. More Information: CSCul88715, CSCul94617, CSCul94627. Known Affected Releases: 7.5.2-201 7.6.3-025 8.0.1-023 8.5.0-000 8.5.0-ER1-198 7.5.2-HP2-303 7.7.0-608 7.7.5-835 8.5.1-021 8.8.0-000 7.9.1-102 8.0.0-404 8.1.1-013 8.2.0-222. Known Fixed Releases: 8.0.2-069 8.0.2-074 8.5.7-042 9.1.0-032 8.5.2-027 9.6.1-019. MEDIUM Dec 13, 2016 -- (VxWorks 7)
CVE-2016-1283 The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\\){99}-))(?J)(?\'R\'(?\'R\'<((?\'RR\'(?\'R\'\\){97)?J)?J)(?\'R\'(?\'R\'\\){99|(:(?|(?\'R\')(\\k\'R\')|((?\'R\')))H\'R\'R)(H\'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. HIGH Jan 7, 2016 -- (VxWorks 7)
CVE-2016-1281 Untrusted search path vulnerability in the installer for TrueCrypt 7.2 and 7.1a, VeraCrypt before 1.17-BETA, and possibly other products allows local users to execute arbitrary code with administrator privileges and conduct DLL hijacking attacks via a Trojan horse DLL in the application directory, as demonstrated with the USP10.dll, RichEd20.dll, NTMarta.dll and SRClient.dll DLLs. MEDIUM Jan 26, 2017 -- (VxWorks 7)
CVE-2016-1265 A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or gain access to devices managed by Junos Space using cross site request forgery (CSRF), default authentication credentials, information leak and command injection attack vectors. All versions of Juniper Networks Junos Space prior to 15.1R3 are affected. HIGH Oct 13, 2017 -- (VxWorks 7)
CVE-2016-1261 J-Web does not validate certain input that may lead to cross-site request forgery (CSRF) issues or cause a denial of J-Web service (DoS). MEDIUM Oct 13, 2017 -- (VxWorks 7)
CVE-2016-1255 The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable before 178, in Ubuntu 12.04 LTS before 129ubuntu1.2, in Ubuntu 14.04 LTS before 154ubuntu1.1, in Ubuntu 16.04 LTS before 173ubuntu0.1, in Ubuntu 17.04 before 179ubuntu0.1, and in Ubuntu 17.10 before 184ubuntu1.1 allows local users to gain root privileges via a symlink attack on a logfile in /var/log/postgresql. HIGH Dec 5, 2017 -- (VxWorks 7)
CVE-2016-1254 Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor. MEDIUM Dec 5, 2017 -- (VxWorks 7)
CVE-2016-1253 The most package in Debian wheezy before 5.0.0a-2.2, in Debian jessie before 5.0.0a-2.3+deb8u1, and in Debian unstable before 5.0.0a-3 allows remote attackers to execute arbitrary commands via shell metacharacters in the name of an LZMA-compressed file. HIGH Dec 5, 2017 -- (VxWorks 7)
CVE-2016-1252 The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures. MEDIUM Dec 5, 2017 -- (VxWorks 7)
CVE-2016-1251 There is a vulnerability of type use-after-free affecting DBD::mysql (aka DBD-mysql or the Database Interface (DBI) MySQL driver for Perl) 3.x and 4.x before 4.041 when used with mysql_server_prepare=1. MEDIUM Dec 1, 2016 -- (VxWorks 7)
CVE-2016-1249 The DBD::mysql module before 4.039 for Perl, when using server-side prepared statement support, allows attackers to cause a denial of service (out-of-bounds read) via vectors involving an unaligned number of placeholders in WHERE condition and output fields in SELECT expression. MEDIUM Feb 16, 2017 -- (VxWorks 7)
CVE-2016-1248 vim before patch 8.0.0056 does not properly validate values for the \'filetype\', \'syntax\' and \'keymap\' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened. MEDIUM Nov 23, 2016 -- (VxWorks 7)
CVE-2016-1247 The nginx package before 1.6.2-5+deb8u3 on Debian jessie and the nginx packages before 1.4.6-1ubuntu3.6 on Ubuntu 14.04 LTS, before 1.10.0-0ubuntu0.16.04.3 on Ubuntu 16.04 LTS, and before 1.10.1-0ubuntu1.1 on Ubuntu 16.10 allow local users with access to the web server user account to gain root privileges via a symlink attack on the error log. HIGH Nov 29, 2016 -- (VxWorks 7)
CVE-2016-1245 It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent. HIGH Feb 23, 2017 -- (VxWorks 7)
CVE-2016-1221 Jetstar App for iOS before 3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1220 Cybozu Garoon before 4.2.2 does not properly restrict access. MEDIUM Apr 20, 2017 -- (VxWorks 7)
CVE-2016-1219 Cybozu Garoon before 4.2.2 allows remote attackers to bypass login authentication via vectors related to API use. HIGH Apr 20, 2017 -- (VxWorks 7)
CVE-2016-1218 SQL injection vulnerability in Cybozu Garoon before 4.2.2. MEDIUM Apr 20, 2017 -- (VxWorks 7)
CVE-2016-1217 Cross-site scripting (XSS) vulnerability in the Check available times function in Cybozu Garoon before 4.2.2. MEDIUM Apr 20, 2017 -- (VxWorks 7)
CVE-2016-1216 Cross-site scripting (XSS) vulnerability in the New appointment function in Cybozu Garoon before 4.2.2. MEDIUM Apr 20, 2017 -- (VxWorks 7)
CVE-2016-1215 Cross-site scripting (XSS) vulnerability in the User details function in Cybozu Garoon before 4.2.2. MEDIUM Apr 20, 2017 -- (VxWorks 7)
CVE-2016-1214 Cross-site scripting (XSS) vulnerability in the Response request function in Cybozu Garoon before 4.2.2. MEDIUM Apr 20, 2017 -- (VxWorks 7)
CVE-2016-1213 The Scheduler function in Cybozu Garoon before 4.2.2 allows remote attackers to redirect users to arbitrary websites. MEDIUM Apr 20, 2017 -- (VxWorks 7)
CVE-2016-1210 The 105 BANK app 1.0 and 1.1 for Android and 1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1198 Photopt for Android before 2.0.1 does not verify SSL certificates. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1194 Cybozu Garoon before 4.2.1 allows remote attackers to cause a denial of service. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1187 Cybozu KUNAI for iPhone 2.0.3 through 3.1.5 and for Android 2.1.2 through 3.0.4 does not verify SSL certificates. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1186 Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1184 Tokyo Star bank App for Android before 1.4 and Tokyo Star bank App for iOS before 1.4 do not validate SSL certificates. MEDIUM Apr 21, 2017 -- (VxWorks 7)
CVE-2016-1179 Cross-site scripting (XSS) vulnerability in the standard template of the comment functionality in appleple a-blog cms 2.6.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML. MEDIUM Apr 20, 2017 -- (VxWorks 7)
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online