Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 126890 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2023-33486 TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setOpModeCfg. This vulnerability allows an attacker to execute arbitrary commands through the hostName parameter. -- May 31, 2023 n/a
CVE-2023-33485 TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a post-authentication buffer overflow via parameter sPort/ePort in the addEffect function. -- May 31, 2023 n/a
CVE-2023-33477 In Harmonic NSG 9000-6G devices, an authenticated remote user can obtain source code by directly requesting a special path. -- Jun 7, 2023 n/a
CVE-2023-33476 ReadyMedia (MiniDLNA) versions from 1.1.15 up to 1.3.2 is vulnerable to Buffer Overflow. The vulnerability is caused by incorrect validation logic when handling HTTP requests using chunked transport encoding. This results in other code later using attacker-controlled chunk values that exceed the length of the allocated buffer, resulting in out-of-bounds read/write. -- Jun 2, 2023 n/a
CVE-2023-33461 iniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring\'s return. -- Jun 1, 2023 n/a
CVE-2023-33460 There\'s a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. -- Jun 6, 2023 n/a
CVE-2023-33457 In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , may cause buffer-overflow and crash. -- Jun 6, 2023 n/a
CVE-2023-33443 Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints. -- Jun 8, 2023 n/a
CVE-2023-33440 Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user. -- May 29, 2023 n/a
CVE-2023-33439 Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_task.php?id=. -- May 29, 2023 n/a
CVE-2023-33410 Minical 1.0.0 and earlier contains a CSV injection vulnerability which allows an attacker to execute remote code. The vulnerability exists due to insufficient input validation on the Customer Name field in the Accounting module that is used to construct a CSV file. -- Jun 6, 2023 n/a
CVE-2023-33409 Minical 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF) via minical/public/application/controllers/settings/company.php. -- Jun 6, 2023 n/a
CVE-2023-33408 Minical 1.0.0 is vulnerable to Cross Site Scripting (XSS). The vulnerability exists due to insufficient input validation in the application\'s user input handling in the security_helper.php file. -- Jun 6, 2023 n/a
CVE-2023-33394 skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). Attackers can achieve backend XSS by deploying malicious JSON data. -- May 26, 2023 n/a
CVE-2023-33386 MarsCTF 1.2.1 has an arbitrary file upload vulnerability in the interface for uploading attachments in the background. -- Jun 5, 2023 n/a
CVE-2023-33381 A command injection vulnerability was found in the ping functionality of the MitraStar GPT-2741GNAC router (firmware version AR_g5.8_110WVN0b7_2). The vulnerability allows an authenticated user to execute arbitrary OS commands by sending specially crafted input to the router via the ping function. -- Jun 6, 2023 n/a
CVE-2023-33362 Piwigo 13.6.0 is vulnerable to SQL Injection via in the profile function. -- May 23, 2023 n/a
CVE-2023-33361 Piwigo 13.6.0 is vulnerable to SQL Injection via /admin/permalinks.php. -- May 23, 2023 n/a
CVE-2023-33359 Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the add tags function. -- May 23, 2023 n/a
CVE-2023-33356 IceCMS v1.0.0 is vulnerable to Cross Site Scripting (XSS). -- May 25, 2023 n/a
CVE-2023-33355 IceCMS v1.0.0 has Insecure Permissions. There is unauthorized access to the API, resulting in the disclosure of sensitive information. -- May 25, 2023 n/a
CVE-2023-33338 Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter. -- May 23, 2023 n/a
CVE-2023-33332 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Product Vendors plugin <= 2.1.76 versions. -- May 30, 2023 n/a
CVE-2023-33328 Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PluginOps MailChimp Subscribe Form plugin <= 4.0.9.1 versions. -- May 28, 2023 n/a
CVE-2023-33326 Unauth. Reflected (XSS) Cross-Site Scripting (XSS) vulnerability in EventPrime plugin <= 2.8.6 versions. -- May 28, 2023 n/a
CVE-2023-33319 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. -- May 30, 2023 n/a
CVE-2023-33316 Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. -- May 30, 2023 n/a
CVE-2023-33315 Cross-Site Request Forgery (CSRF) vulnerability in Stephen Darlington, Wandle Software Limited Smart App Banner plugin <= 1.1.2 versions. -- May 28, 2023 n/a
CVE-2023-33314 Cross-Site Request Forgery (CSRF) vulnerability in realmag777 BEAR plugin <= 1.1.3.1 versions. -- May 28, 2023 n/a
CVE-2023-33313 Cross-Site Request Forgery (CSRF) vulnerability in ThemeinProgress WIP Custom Login plugin <= 1.2.9 versions. -- May 30, 2023 n/a
CVE-2023-33311 Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CRM Perks Contact Form Entries plugin <= 1.3.0 versions. -- May 30, 2023 n/a
CVE-2023-33309 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Awesome Motive Duplicator Pro plugin <= 4.5.11 versions. -- May 28, 2023 n/a
CVE-2023-33297 Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023. -- May 22, 2023 n/a
CVE-2023-33294 An issue was discovered in KaiOS 3.0 before 3.1. The /system/bin/tctweb_server binary exposes a local web server that responds to GET and POST requests on port 2929. The server accepts arbitrary Bash commands and executes them as root. Because it is not permission or context restricted and returns proper CORS headers, it\'s accessible to all websites via the browser. At a bare minimum, this allows an attacker to retrieve a list of the user\'s installed apps, notifications, and downloads. It also allows an attacker to delete local files and modify system properties including the boolean persist.moz.killswitch property (which would render the device inoperable). This vulnerability is partially mitigated by SELinux which prevents reads, writes, or modifications to files or permissions within protected partitions. -- May 22, 2023 n/a
CVE-2023-33293 An issue was discovered in KaiOS 3.0 and 3.1. The binary /system/kaios/api-daemon exposes a local web server on *.localhost with subdomains for each installed applications, e.g., myapp.localhost. An attacker can make fetch requests to api-deamon to determine if a given app is installed and read the manifest.webmanifest contents, including the app version. -- May 22, 2023 n/a
CVE-2023-33291 In ebankIT 6, the public endpoints /public/token/Email/generate and /public/token/SMS/generate allow generation of OTP messages to any e-mail address or phone number without validation. (It cannot be exploited with e-mail addresses or phone numbers that are registered in the application.) -- May 30, 2023 n/a
CVE-2023-33288 An issue was discovered in the Linux kernel before 6.2.9. A use-after-free was found in bq24190_remove in drivers/power/supply/bq24190_charger.c. It could allow a local attacker to crash the system due to a race condition. -- May 22, 2023 n/a
CVE-2023-33287 A stored cross-site scripting (XSS) vulnerability in the Inline Table Editing application before 3.8.0 for Confluence allows attackers to store and execute arbitrary JavaScript via a crafted payload injected into the tables. -- Jun 1, 2023 n/a
CVE-2023-33285 An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. -- May 22, 2023 n/a
CVE-2023-33284 Marval MSM through 14.19.0.12476 and 15.0 has a Remote Code Execution vulnerability. A remote attacker authenticated as any user is able to execute code in context of the web server. -- Jun 7, 2023 n/a
CVE-2023-33283 Marval MSM through 14.19.0.12476 uses a static encryption key for secrets. An attacker that gains access to encrypted secrets can decrypt them by using this key. -- Jun 7, 2023 n/a
CVE-2023-33282 Marval MSM through 14.19.0.12476 and 15.0 has a System account with default credentials. A remote attacker is able to login and create a valid session. This makes it possible to make backend calls to endpoints in the application. -- Jun 7, 2023 n/a
CVE-2023-33281 The remote keyfob system on Nissan Sylphy Classic 2021 sends the same RF signal for each door-open request, which allows for a replay attack. -- May 22, 2023 n/a
CVE-2023-33280 In the Store Commander scquickaccounting module for PrestaShop through 3.7.3, multiple sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. -- May 25, 2023 n/a
CVE-2023-33279 In the Store Commander scfixmyprestashop module through 2023-05-09 for PrestaShop, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. -- May 25, 2023 n/a
CVE-2023-33278 In the Store Commander scexportcustomers module for PrestaShop through 3.6.1, sensitive SQL calls can be executed with a trivial HTTP request and exploited to forge a blind SQL injection. -- May 25, 2023 n/a
CVE-2023-33264 In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, configuration routines don\'t mask passwords in the member configuration properly. This allows Hazelcast Management Center users to view some of the secrets. -- May 22, 2023 n/a
CVE-2023-33263 In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory. NOTE: this is a product from 2006. -- May 25, 2023 n/a
CVE-2023-33255 An issue was discovered in Papaya Viewer 4a42701. User-supplied input in form of DICOM or NIFTI images can be loaded into the Papaya web application without any kind of sanitization. This allows injection of arbitrary JavaScript code into image metadata, which is executed when that metadata is displayed in the Papaya web application -- May 30, 2023 n/a
CVE-2023-33254 There is an LDAP bind credentials exposure on KACE Systems Deployment and Remote Site appliances 9.0.146. The captured credentials may provide a higher privilege level on the Active Directory domain. To exploit this, an authenticated attacker edits the user-authentication settings to specify an attacker-controlled LDAP server, clicks the Test Settings button, and captures the cleartext credentials. -- May 22, 2023 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online