Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 43765 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2019-1010039 uLaunchELF < commit 170827a is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Loader program (loader.c) overly trusts the arguments provided via command line. HIGH Jul 16, 2019 -- (VxWorks 7)
CVE-2019-1010038 OpenModelica OMCompiler is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: OPENMODELICAHOME parameter changeable via environment variable. The attack vector is: Changing an environment variable. HIGH Jul 30, 2019 -- (VxWorks 7)
CVE-2019-1010034 Deepwoods Software WebLibrarian 3.5.2 and earlier is affected by: SQL Injection. The impact is: Exposing the entire database. The component is: Function \"AllBarCodes\" (defined at database_code.php line 1018) is vulnerable to a boolean-based blind sql injection. This function call can be triggered by any user logged-in with at least Volunteer role or manage_circulation capabilities. PoC : /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC. MEDIUM Jul 19, 2019 -- (VxWorks 7)
CVE-2019-1010030 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-11501. Reason: This candidate is a reservation duplicate of CVE-2018-11501. Notes: All CVE users should reference CVE-2018-11501 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. -- Jul 15, 2019 -- (VxWorks 7)
CVE-2019-1010028 phpscriptsmall.com School College Portal with ERP Script 2.6.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Attack administrators and teachers, students and more. The component is: /pro-school/index.php?student/message/send_reply/. The attack vector is: <img src=x onerror=alert(document.domain) />. MEDIUM Jul 15, 2019 -- (VxWorks 7)
CVE-2019-1010025 ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor\'s position is \"ASLR bypass itself is not a vulnerability.\" MEDIUM Aug 5, 2019 -- (VxWorks 7)
CVE-2019-1010024 GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. MEDIUM Jul 18, 2019 -- (VxWorks 7)
CVE-2019-1010023 GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. MEDIUM Jul 18, 2019 -- (VxWorks 7)
CVE-2019-1010022 GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. HIGH Jul 18, 2019 -- (VxWorks 7)
CVE-2019-1010018 Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3. MEDIUM Jul 18, 2019 -- (VxWorks 7)
CVE-2019-1010017 libnmap < v0.6.3 is affected by: XML Injection. The impact is: Denial of service (DoS) by consuming resources. The component is: XML Parsing. The attack vector is: Specially crafted XML payload. MEDIUM Jul 17, 2019 -- (VxWorks 7)
CVE-2019-1010016 Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker. MEDIUM Jul 15, 2019 -- (VxWorks 7)
CVE-2019-1010011 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-10753, CVE-2018-10771. Reason: This candidate is a reservation duplicate of CVE-2018-10753 and CVE-2018-10771. Notes: All CVE users should reference CVE-2018-10753 and CVE-2018-10771 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. -- Jul 16, 2019 -- (VxWorks 7)
CVE-2019-1010009 DGLogik Inc DGLux Server All Versions is affected by: Insecure Permissions. The impact is: Remote Execution, Credential Leaks. The component is: IoT API. The attack vector is: Any Accessible Server. HIGH Jul 30, 2019 -- (VxWorks 7)
CVE-2019-1010008 OpenEnergyMonitor Project Emoncms 9.8.8 is affected by: Cross Site Scripting (XSS). The impact is: Theoretically low, but might potentially enable persistent XSS (user could embed mal. code). The component is: Javascript code execution in \"Name\", \"Location\", \"Bio\" and \"Starting Page\" fields in the \"My Account\" page. File: Lib/listjs/list.js, line 67. The attack vector is: unknown, victim must open profile page if persistent was possible. LOW Jul 18, 2019 -- (VxWorks 7)
CVE-2019-1010006 Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Possible code execution. The component is: backend/tiff/tiff-document.c. The attack vector is: Victim must open a crafted PDF file. The issue occurs because of an incorrect integer overflow protection mechanism in tiff_document_render and tiff_document_get_thumbnail. MEDIUM Jul 16, 2019 -- (VxWorks 7)
CVE-2019-1010005 HexoEditor v1.1.8-beta is affected by: XSS to code execution. MEDIUM Jul 16, 2019 -- (VxWorks 7)
CVE-2019-1010004 SoX - Sound eXchange 14.4.2 and earlier is affected by: Out-of-bounds Read. The impact is: Denial of Service. The component is: read_samples function at xa.c:219. The attack vector is: Victim must open specially crafted .xa file. NOTE: this may overlap CVE-2017-18189. MEDIUM Jul 15, 2019 -- (VxWorks 7)
CVE-2019-1010003 Leanote prior to version 2.6 is affected by: Cross Site Scripting (XSS). LOW Jul 12, 2019 -- (VxWorks 7)
CVE-2019-1003099 A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003098 A cross-site request forgery vulnerability in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003097 Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003096 Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003095 Jenkins Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003094 Jenkins Open STF Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003093 A missing permission check in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003092 A cross-site request forgery vulnerability in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003091 A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003090 A cross-site request forgery vulnerability in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003089 Jenkins Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003088 Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003087 A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003086 A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003085 A missing permission check in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003084 A cross-site request forgery vulnerability in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003083 A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003082 A cross-site request forgery vulnerability in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003081 A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003080 A cross-site request forgery vulnerability in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003079 A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003078 A cross-site request forgery vulnerability in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 8, 2019 -- (VxWorks 7)
CVE-2019-1003077 A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003076 A cross-site request forgery vulnerability in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers to initiate a connection to an attacker-specified server. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003075 Jenkins Audit to Database Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003074 Jenkins Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003073 Jenkins VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003072 Jenkins WildFly Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003071 Jenkins OctopusDeploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003070 Jenkins veracode-scanner Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
CVE-2019-1003069 Jenkins Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. MEDIUM Apr 15, 2019 -- (VxWorks 7)
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online