All customers except US A&D: to ensure that you can access all of your product downloads, you must log in to the Wind River Delivers portal https://delivers.windriver.com and visit the My Products page to force an initial sync of your product entitlement. Only after you’ve completed this step will you be able to access and download product content through the Artifacts, Registry, and Git interfaces. This also applies to users attempting to run the Wind River installer in maintenance or update mode or Linux installation updates at the command line.

Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 90736 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2022-22123 In Halo, versions v1.0.0 to v1.4.17 (latest) are vulnerable to Stored Cross-Site Scripting (XSS) in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server. LOW Jan 14, 2022 n/a
CVE-2022-22122 In Mattermost Focalboard, versions prior to v0.7.5, v0.8.4, v0.9.5, v0.10.1 and v0.11.0-rc1; as used respectively in Mattermost, versions prior to v5.37.6, v5.39.3, v6.0.4, v6.1.1 and v6.2.0, are vulnerable to Insufficient Session Expiration. When a user initiates a logout, their session is not invalidated properly. In addition, user sessions are stored in the browser’s local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, to completely take over a victim account. -- Jan 13, 2022 n/a
CVE-2022-22121 In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed. -- Jan 10, 2022 n/a
CVE-2022-22120 In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn\'t registered within the system. This allows attackers to enumerate the registered users\' email addresses. -- Jan 10, 2022 n/a
CVE-2022-22117 In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered. LOW Jan 14, 2022 n/a
CVE-2022-22116 In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser when they open the image URL. LOW Jan 14, 2022 n/a
CVE-2022-22115 In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, and privileges escalation. LOW Jan 14, 2022 n/a
CVE-2022-22114 In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “search term search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are executed in a victim’s browser when they enter the crafted URL. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account Takeover of the administrator, by an unauthenticated attacker. MEDIUM Jan 14, 2022 n/a
CVE-2022-22113 In DayByDay CRM, versions 2.2.0 through 2.2.1 (latest) are vulnerable to Insufficient Session Expiration. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed. MEDIUM Jan 14, 2022 n/a
CVE-2022-22112 In DayByDay CRM, versions 1.1 through 2.2.1 (latest) suffer from an application-wide Client-Side Template Injection (CSTI). A low privileged attacker can input template injection payloads in the application at various locations to execute JavaScript on the client browser. -- Jan 13, 2022 n/a
CVE-2022-22111 In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. Any application user in the application who has update user permission enabled is able to change the password of other users, including the administrator’s. This allows the attacker to gain access to the highest privileged user in the application. MEDIUM Jan 8, 2022 n/a
CVE-2022-22110 In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requirements in the user update functionality. A user with privileges to update his password could change it to a weak password, such as those with a length of a single character. This may allow an attacker to brute-force users’ passwords with minimal to no computational effort. MEDIUM Jan 8, 2022 n/a
CVE-2022-22109 In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scripting (XSS) vulnerability that allows low privileged application users to store malicious scripts in the title field of new tasks. These scripts are executed in a victim’s browser when they open the “/tasks” page to view all the tasks. LOW Jan 8, 2022 n/a
CVE-2022-22108 In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the absences of all users in the system including administrators. This type of user is not authorized to view this kind of information. MEDIUM Jan 8, 2022 n/a
CVE-2022-22107 In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all. MEDIUM Jan 8, 2022 n/a
CVE-2022-22056 The Le-yan dental management system contains a hard-coded credentials vulnerability in the web page source code, which allows an unauthenticated remote attacker to acquire administrator’s privilege and control the system or disrupt service. HIGH Jan 14, 2022 n/a
CVE-2022-22055 The Le-yan dental management system contains an SQL-injection vulnerability. An unauthenticated remote attacker can inject SQL commands into the input field of the login page to acquire administrator’s privilege and perform arbitrary operations on the system or disrupt service. HIGH Jan 14, 2022 n/a
CVE-2022-22054 ASUS RT-AX56U’s login function contains a path traversal vulnerability due to its inadequate filtering for special characters in URL parameters, which allows an unauthenticated local area network attacker to access restricted system paths and download arbitrary files. LOW Jan 14, 2022 n/a
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21954. -- Jan 12, 2022 n/a
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855. -- Jan 12, 2022 n/a
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21892, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962. -- Jan 12, 2022 n/a
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21892, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21963. -- Jan 12, 2022 n/a
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21892, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21962, CVE-2022-21963. -- Jan 12, 2022 n/a
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21892, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963. -- Jan 12, 2022 n/a
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21892, CVE-2022-21928, CVE-2022-21958, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963. -- Jan 12, 2022 n/a
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21892, CVE-2022-21928, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963. -- Jan 12, 2022 n/a
CVE-2022-21954 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21970. -- Jan 12, 2022 n/a
CVE-2022-21933 ASUS VivoMini/Mini PC device has an improper input validation vulnerability. A local attacker with system privilege can use system management interrupt (SMI) to modify memory, resulting in arbitrary code execution for controlling the system or disrupting service. -- Jan 21, 2022 n/a
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21931 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21929, CVE-2022-21930. -- Jan 12, 2022 n/a
CVE-2022-21930 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21929, CVE-2022-21931. -- Jan 12, 2022 n/a
CVE-2022-21929 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21930, CVE-2022-21931. -- Jan 12, 2022 n/a
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21892, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963. -- Jan 12, 2022 n/a
CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability. HIGH Jan 12, 2022 n/a
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability. HIGH Jan 12, 2022 n/a
CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895. -- Jan 12, 2022 n/a
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21897. -- Jan 12, 2022 n/a
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-21880. -- Jan 12, 2022 n/a
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21885. -- Jan 12, 2022 n/a
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass. -- Jan 12, 2022 n/a
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21898. -- Jan 12, 2022 n/a
CVE-2022-21911 .NET Framework Denial of Service Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability. -- Jan 12, 2022 n/a
CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability. -- Jan 12, 2022 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online