Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 43765 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2015-2158 Off-by-one error in the pngcrush_measure_idat function in pngcrush.c in pngcrush before 1.7.84 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file. MEDIUM Oct 6, 2017 -- (VxWorks 7)
CVE-2015-2156 Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. MEDIUM Oct 18, 2017 -- (VxWorks 7)
CVE-2015-2150 Xen 3.3.x through 4.5.x does not properly restrict access to PCI command registers, which might allow local guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. Medium Mar 12, 2015 -- (VxWorks 7)
CVE-2015-2148 Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.2 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. LOW Oct 6, 2017 -- (VxWorks 7)
CVE-2015-2147 Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. HIGH Oct 6, 2017 -- (VxWorks 7)
CVE-2015-2146 Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to project.php, the (2) group_id parameter to group.php, the (3) status_id parameter to status.php, the (4) resolution_id parameter to resolution.php, the (5) severity_id parameter to severity.php, the (6) priority_id parameter to priority.php, the (7) os_id parameter to os.php, or the (8) site_id parameter to site.php. HIGH Oct 6, 2017 -- (VxWorks 7)
CVE-2015-2145 Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. LOW Oct 6, 2017 -- (VxWorks 7)
CVE-2015-2144 Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) project name parameter to project.php; the (2) use_js parameter to user.php; the (3) use_js parameter to group.php; the (4) Description parameter to status.php; the (5) Description parameter to severity.php; the (6) Regex parameter to os.php; or the (7) Name parameter to database.php. LOW Oct 9, 2017 -- (VxWorks 7)
CVE-2015-2143 Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters. MEDIUM Oct 6, 2017 -- (VxWorks 7)
CVE-2015-2142 Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the authentication of users for requests that cause an unspecified impact via the group_id parameter to group.php, (3) hijack the authentication of users for requests that delete statuses via the status_id parameter to status.php, (4) hijack the authentication of users for requests that delete severities via the severity_id parameter to severity.php, (5) hijack the authentication of users for requests that cause an unspecified impact via the priority_id parameter to priority.php, (6) hijack the authentication of users for requests that delete the operating system via the os_id parameter to os.php, (7) hijack the authentication of users for requests that delete databases via the database_id parameter to database.php, or (8) hijack the authentication of users for requests that delete sites via the site_id parameter to sites.php. MEDIUM Oct 6, 2017 -- (VxWorks 7)
CVE-2015-2081 Datto ALTO and SIRIS devices allow Remote Code Execution via unauthenticated requests to PHP scripts. -- Feb 20, 2018 -- (VxWorks 7)
CVE-2015-2046 Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later before 1.2.20. Medium Sep 1, 2017 -- (VxWorks 7)
CVE-2015-2020 The MyScript SDK before 1.3 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. -- Mar 29, 2018 -- (VxWorks 7)
CVE-2015-2009 Cross-site request forgery (CSRF) vulnerability in the xmlrpc.cgi service in IBM QRadar SIEM 7.1 before MR2 Patch 11 Interim Fix 02 and 7.2.x before 7.2.5 Patch 4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences via vectors related to webmin. IBM X-Force ID: 103921. -- Mar 29, 2018 -- (VxWorks 7)
CVE-2015-2004 The GraceNote GNSDK SDK before SVN Changeset 1.1.7 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. -- Mar 29, 2018 -- (VxWorks 7)
CVE-2015-2003 The PJSIP PJSUA2 SDK before SVN Changeset 51322 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. -- Mar 29, 2018 -- (VxWorks 7)
CVE-2015-2002 The ESRI ArcGis Runtime SDK before 10.2.6-2 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. -- Mar 29, 2018 -- (VxWorks 7)
CVE-2015-2001 The MetaIO SDK before 6.0.2.1 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. -- Mar 29, 2018 -- (VxWorks 7)
CVE-2015-2000 The Jumio SDK before 1.5.0 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. -- Mar 29, 2018 -- (VxWorks 7)
CVE-2015-1976 IBM Security Directory Server could allow an authenticated user to execute commands into the web administration tool that would cause the tool to crash. Low Feb 14, 2017 -- (VxWorks 7)
CVE-2015-1975 The web administration tool in IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, and 6.3 before iFix 37 and IBM Security Directory Server 6.3.1 before iFix 11 and 6.4 before iFix 2 allows local users to gain privileges via vectors related to argument injection. IBM X-Force ID: 103694. -- Apr 3, 2018 -- (VxWorks 7)
CVE-2015-1957 IBM WebSphere MQ 7.5.x before 7.5.0.6 and 8.0.x before 8.0.0.3 allows remote authenticated users to obtain sensitive information via a man-in-the-middle attack, related to duplication of message data in cleartext outside the protected payload. IBM X-Force ID: 103482. -- Apr 10, 2018 -- (VxWorks 7)
CVE-2015-1952 Cross-site scripting (XSS) vulnerability in IBM AppScan Enterprise Edition 9.0.x before 9.0.2 iFix 001 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 103416. -- Apr 16, 2018 -- (VxWorks 7)
CVE-2015-1878 Thales nShield Connect hardware models 500, 1500, 6000, 500+, 1500+, and 6000+ before 11.72 allows physically proximate attackers to sign arbitrary data with previously loaded signing keys, extract the device identification key [KNETI] and impersonate the nShield Connect device on a network, affect the integrity and confidentiality of newly created keys, and potentially cause other unspecified impacts using previously loaded keys by connecting to the USB port on the front panel. MEDIUM Aug 18, 2017 -- (VxWorks 7)
CVE-2015-1876 Directory traversal vulnerability in ES File Explorer 3.2.4.1. Medium Sep 6, 2017 -- (VxWorks 7)
CVE-2015-1870 The event scripts in Automatic Bug Reporting Tool (ABRT) uses world-readable permission on a copy of sosreport file in problem directories, which allows local users to obtain sensitive information from /var/log/messages via unspecified vectors. LOW Jun 26, 2017 -- (VxWorks 7)
CVE-2015-1866 Cross-site scripting (XSS) vulnerability in Ember.js 1.10.x before 1.10.1 and 1.11.x before 1.11.2. MEDIUM Sep 20, 2017 -- (VxWorks 7)
CVE-2015-1865 fts.c in coreutils 8.4 allows local users to delete arbitrary files. LOW Sep 20, 2017 -- (VxWorks 7)
CVE-2015-1864 Multiple cross-site scripting (XSS) vulnerabilities in the administration pages in Kallithea before 0.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) first name or (2) last name user details, or the (3) repository, (4) repository group, or (5) user group description. LOW Sep 19, 2017 -- (VxWorks 7)
CVE-2015-1862 The crash reporting feature in Abrt allows local users to gain privileges by leveraging an execve by root after a chroot into a user-specified directory in a namedspaced environment. -- Feb 9, 2018 -- (VxWorks 7)
CVE-2015-1857 The odl-mdsal-apidocs feature in OpenDaylight Helium allow remote attackers to obtain sensitive information by leveraging missing AAA restrictions. -- Apr 27, 2018 -- (VxWorks 7)
CVE-2015-1854 389 Directory Server before 1.3.3.10 allows attackers to bypass intended access restrictions and modify directory entries via a crafted ldapmodrdn call. MEDIUM Sep 19, 2017 -- (VxWorks 7)
CVE-2015-1849 AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential password when TRACE logging is enabled. MEDIUM Sep 19, 2017 -- (VxWorks 7)
CVE-2015-1847 Directory traversal vulnerability in the web request/response interface in Appserver before 1.0.3 allows remote attackers to read normally inaccessible files via a .. (dot dot) in a crafted URL. MEDIUM Jul 24, 2017 -- (VxWorks 7)
CVE-2015-1839 modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp. Medium Apr 19, 2017 -- (VxWorks 7)
CVE-2015-1838 modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp. Medium Apr 19, 2017 -- (VxWorks 7)
CVE-2015-1835 Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL. LOW Oct 27, 2017 -- (VxWorks 7)
CVE-2015-1834 A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.2. Path traversal is the 'outbreak' of a given directory structure through relative file paths in the user input. It aims at accessing files and directories that are stored outside the web root folder, for disallowed reading or even executing arbitrary system commands. An attacker could use a certain parameter of the file path for instance to inject '../' sequences in order to navigate through the file system. In this particular case a remote authenticated attacker can exploit the identified vulnerability in order to upload arbitrary files to the server running a Cloud Controller instance - outside the isolated application container. Medium Jun 7, 2017 -- (VxWorks 7)
CVE-2015-1828 The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack. MEDIUM Oct 6, 2017 -- (VxWorks 7)
CVE-2015-1820 REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect. HIGH Aug 9, 2017 -- (VxWorks 7)
CVE-2015-1817 Stack-based buffer overflow in the inet_pton function in network/inet_pton.c in musl libc 0.9.15 through 1.0.4, and 1.1.0 through 1.1.7 allows attackers to have unspecified impact via unknown vectors. HIGH Aug 18, 2017 -- (VxWorks 7)
CVE-2015-1801 The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 kernel 3.4 and earlier allows attackers to cause a denial of service (memory corruption) or gain privileges. HIGH Aug 24, 2017 -- (VxWorks 7)
CVE-2015-1800 The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 kernel 3.4 and earlier allows attackers to potentially obtain sensitive information. MEDIUM Aug 24, 2017 -- (VxWorks 7)
CVE-2015-1799 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. Medium Apr 14, 2015 ntp-1.1.0.0 (VxWorks 7)
CVE-2015-1798 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. Low Apr 14, 2015 ntp-1.1.0.0 (VxWorks 7)
CVE-2015-1795 Red Hat Gluster Storage RPM Package 3.2 allows local users to gain privileges and execute arbitrary code as root. HIGH Jun 27, 2017 -- (VxWorks 7)
CVE-2015-1793 The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate. LOW Jul 10, 2015 openSSL-1.0.5.0 (VxWorks 7)
CVE-2015-1792 The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function. MEDIUM Jun 12, 2015 openSSL-1.0.4.0 (VxWorks 7)
CVE-2015-1791 Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier. MEDIUM Jun 12, 2015 openSSL-1.0.4.0 (VxWorks 7)
CVE-2015-1790 The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data. MEDIUM Jun 12, 2015 openSSL-1.0.4.0 (VxWorks 7)
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version.
Live chat
Online