Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 199260 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2016-5818 An issue was discovered in Schneider Electric PowerLogic PM8ECC device 2.651 and older. Undocumented hard-coded credentials allow access to the device. HIGH Feb 17, 2017 n/a
CVE-2016-5816 A Use of Hard-Coded Cryptographic Key issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded private cryptographic keys that may allow an attacker to decrypt traffic from any other source. MEDIUM Aug 25, 2017 n/a
CVE-2016-5815 An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes. HIGH Feb 14, 2017 n/a
CVE-2016-5813 An issue was discovered in Visonic PowerLink2, all versions prior to October 2016 firmware release. When a specific URL to an image is accessed, the downloaded image carries with it source code used in the web server (INFORMATION EXPOSURE). MEDIUM Feb 14, 2017 n/a
CVE-2016-5811 An issue was discovered in Visonic PowerLink2, all versions prior to October 2016 firmware release. User controlled input is not neutralized prior to being placed in web page output (CROSS-SITE SCRIPTING). MEDIUM Feb 17, 2017 n/a
CVE-2016-5810 upAdminPg.asp in Advantech WebAccess before 8.1_20160519 allows remote authenticated administrators to obtain sensitive password information via unspecified vectors. MEDIUM May 11, 2017 n/a
CVE-2016-5809 An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved. MEDIUM Feb 14, 2017 n/a
CVE-2016-5808 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none -- Nov 7, 2023 n/a
CVE-2016-5806 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none -- Nov 7, 2023 n/a
CVE-2016-5805 An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to2.10.10. There are multiple instances of heap-based buffer overflows that may allow malicious files to cause the execution of arbitrary code or a denial of service. MEDIUM Feb 14, 2017 n/a
CVE-2016-5803 An issue was discovered in CA Unified Infrastructure Management Version 8.47 and earlier. The Unified Infrastructure Management software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory. HIGH Feb 14, 2017 n/a
CVE-2016-5802 An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to 2.10.10. Multiple instances of out-of-bounds write conditions may allow malicious files to be read and executed by the affected software. MEDIUM Feb 14, 2017 n/a
CVE-2016-5801 An issue was discovered in OmniMetrix OmniView, Version 1.2. Insufficient password requirements for the OmniView web application may allow an attacker to gain access by brute forcing account passwords. MEDIUM Feb 17, 2017 n/a
CVE-2016-5800 A malicious attacker can trigger a remote buffer overflow in the Communication Server in Fatek Automation PM Designer V3 Version 2.1.2.2, and Automation FV Designer Version 1.2.8.0. MEDIUM Mar 27, 2019 n/a
CVE-2016-5798 An issue was discovered in Fatek Automation PM Designer V3 Version 2.1.2.2, and Automation FV Designer Version 1.2.8.0. By sending additional valid packets, an attacker could trigger a stack-based buffer overflow and cause a crash. Also, a malicious attacker can trigger a remote buffer overflow on the Fatek Communication Server. MEDIUM Feb 17, 2017 n/a
CVE-2016-5796 An issue was discovered in Fatek Automation PM Designer V3 Version 2.1.2.2, and Automation FV Designer Version 1.2.8.0. Sending additional valid packets could allow the attacker to cause a crash or to execute arbitrary code, because of Improper Restriction of Operations within the Bounds of a Memory Buffer. MEDIUM Feb 17, 2017 n/a
CVE-2016-5795 An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. High Sep 7, 2017 n/a
CVE-2016-5794 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none -- Nov 7, 2023 n/a
CVE-2016-5791 An Improper Authentication issue was discovered in JanTek JTC-200, all versions. The improper authentication could provide an undocumented BusyBox Linux shell accessible over the TELNET service without any authentication. HIGH Oct 12, 2017 n/a
CVE-2016-5789 A Cross-site Request Forgery issue was discovered in JanTek JTC-200, all versions. An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. MEDIUM Oct 12, 2017 n/a
CVE-2016-5788 General Electric (GE) Bently Nevada 3500/22M USB with firmware before 5.0 and Bently Nevada 3500/22M Serial have open ports, which makes it easier for remote attackers to obtain privileged access via unspecified vectors. HIGH Nov 28, 2016 n/a
CVE-2016-5786 An issue was discovered in OmniMetrix OmniView, Version 1.2. The OmniView web application transmits credentials with the HTTP protocol, which could be sniffed by an attacker that may result in the compromise of account credentials. MEDIUM Feb 17, 2017 n/a
CVE-2016-5782 An issue was discovered in Locus Energy LGate prior to 1.05H, LGate 50, LGate 100, LGate 101, LGate 120, and LGate 320. Locus Energy meters use a PHP script to manage the energy meter parameters for voltage monitoring and network configuration. The PHP code does not properly validate information that is sent in the POST request. HIGH Feb 14, 2017 n/a
CVE-2016-5771 spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data. HIGH Aug 10, 2016 n/a
CVE-2016-5765 Administrative Server in Micro Focus Host Access Management and Security Server (MSS) and Reflection for the Web (RWeb) and Reflection Security Gateway (RSG) and Reflection ZFE (ZFE) allows remote unauthenticated attackers to read arbitrary files via a specially crafted URL that allows limited directory traversal. Applies to MSS 12.3 before 12.3.326 and MSS 12.2 before 12.2.342 and RSG 12.1 before 12.1.362 and RWeb 12.3 before 12.3.312 and RWeb 12.2 before 12.2.342 and RWeb 12.1 before 12.1.362 and ZFE 2.0.1 before 2.0.1.18 and ZFE 2.0.0 before 2.0.0.52 and ZFE 1.4.0 before 1.4.0.14. MEDIUM Nov 30, 2016 n/a
CVE-2016-5764 Micro Focus Rumba FTP 4.X client buffer overflow makes it possible to corrupt the stack and allow arbitrary code execution. Fixed in: Rumba FTP 4.5 (HF 14668). This can only occur if a client connects to a malicious server. MEDIUM Oct 28, 2016 n/a
CVE-2016-5763 Vulnerability in Novell Open Enterprise Server (OES2015 SP1 before Scheduled Maintenance Update 10992, OES2015 before Scheduled Maintenance Update 10990, OES11 SP3 before Scheduled Maintenance Update 10991, OES11 SP2 before Scheduled Maintenance Update 10989) might allow authenticated remote attackers to perform unauthorized file access and modification. MEDIUM Nov 15, 2016 n/a
CVE-2016-5762 Integer overflow in the Post Office Agent in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 might allow remote attackers to execute arbitrary code via a long (1) username or (2) password, which triggers a heap-based buffer overflow. HIGH Apr 20, 2017 n/a
CVE-2016-5761 Cross-site scripting (XSS) vulnerability in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allows remote attackers to inject arbitrary web script or HTML via a crafted email. MEDIUM Apr 20, 2017 n/a
CVE-2016-5760 Multiple cross-site scripting (XSS) vulnerabilities in the administrator console in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allow remote attackers to inject arbitrary web script or HTML via the (1) token parameter to gwadmin-console/install/login.jsp or (2) PATH_INFO to gwadmin-console/index.jsp. MEDIUM Apr 20, 2017 n/a
CVE-2016-5759 The mkdumprd script called dracut in the current working directory . allows local users to trick the administrator into executing code as root. MEDIUM Sep 8, 2017 n/a
CVE-2016-5758 A cross site request forgery protection mechanism in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be circumvented by repeated uploads causing a high load. MEDIUM Mar 24, 2017 n/a
CVE-2016-5757 iManager Admin Console in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 was vulnerable to iFrame manipulation attacks, which could allow remote users to gain access to authentication credentials. HIGH Mar 24, 2017 n/a
CVE-2016-5756 Multiple components of the web tools in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 were vulnerable to Reflected Cross Site Scripting attacks which could be used to hijack user sessions: nps/servlet/frameservice, nps/servlet/webacc, roma/admin/cntl, roma/jsp/admin/appliance/devicedetail_edit.jsp, roma/jsp/admin/managementip/mgmt_ip_details_frameset.jsp, roma/jsp/admin/managementip/mgmt_ip_details_middleframe.jsp, roma/jsp/volsc/monitoring/appliance.jsp, and roma/jsp/volsc/monitoring/graph.jsp. MEDIUM Mar 24, 2017 n/a
CVE-2016-5755 NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 was vulnerable to clickjacking attacks due to a missing SAMEORIGIN filter in the high encryption setting. MEDIUM Mar 24, 2017 n/a
CVE-2016-5754 Presence of a .htaccess file could leak information in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before SP2. MEDIUM Mar 24, 2017 n/a
CVE-2016-5752 The SAML2 implementation in Identity Server in NetIQ Access Manager 4.1 before 4.1.2 HF1 and 4.2 before 4.2.2 was handling unsigned SAML requests incorrectly, leaking results to a potentially malicious Assertion Consumer Service URL instead of the original requester. MEDIUM Mar 24, 2017 n/a
CVE-2016-5751 An unfiltered finalizer target URL in the SAML processing feature in Identity Server in NetIQ Access Manager 4.1 before 4.1.2 HF1 and 4.2 before 4.2.2 could be used to trigger XSS and leak authentication credentials. MEDIUM Mar 24, 2017 n/a
CVE-2016-5750 The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to upload JSP pages that would be executed as the iManager user, allowing code execution by logged-in remote users. MEDIUM Mar 24, 2017 n/a
CVE-2016-5749 NetIQ Access Manager 4.1 before 4.1.2 HF 1 and 4.2 before 4.2.2 was parsing incoming SAML requests with external entity resolution enabled, which could lead to local file disclosure via an XML External Entity (XXE) attack. LOW Mar 24, 2017 n/a
CVE-2016-5748 External Entity Processing (XXE) vulnerability in the risk score application of NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could be used to disclose the content of local files to logged-in users. LOW Mar 24, 2017 n/a
CVE-2016-5747 A security vulnerability in cookie handling in the http stack implementation in NDSD in Novell eDirectory before 9.0.1 allows remote attackers to bypass intended access restrictions by leveraging predictable cookies. MEDIUM Mar 27, 2017 n/a
CVE-2016-5742 SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. HIGH Jan 24, 2017 n/a
CVE-2016-5740 An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. This code gets executed within the context of the user's current session. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). MEDIUM Dec 16, 2016 n/a
CVE-2016-5737 The Gerrit configuration in the Openstack Puppet module for Gerrit (aka puppet-gerrit) improperly marks text/html as a safe mimetype, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a crafted review. MEDIUM Jan 12, 2017 n/a
CVE-2016-5735 Integer overflow in the rwpng_read_image24_libpng function in rwpng.c in pngquant 2.7.0 allows remote attackers to have unspecified impact via a crafted PNG file, which triggers a buffer overflow. MEDIUM May 23, 2017 n/a
CVE-2016-5727 LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop. MEDIUM Feb 23, 2017 n/a
CVE-2016-5726 Packages.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the themechanges array parameter. HIGH Feb 23, 2017 n/a
CVE-2016-5725 Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a .. (dot dot backslash) in a response to a recursive GET command. MEDIUM Jan 20, 2017 n/a
CVE-2016-5724 Cloudera CDH before 5.9 has Potentially Sensitive Information in Diagnostic Support Bundles. MEDIUM Nov 26, 2019 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online