Total
6050 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23827 | 1 Nginxui | 1 Nginx Ui | 2024-02-08 | N/A | 9.8 CRITICAL |
| Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue. | |||||
| CVE-2024-0844 | 1 Felixmoira | 1 Popup More Popups\, Lightboxes\, And More Popup Modules | 2024-02-08 | N/A | 7.2 HIGH |
| The Popup More Popups, Lightboxes, and more popup modules plugin for WordPress is vulnerable to Local File Inclusion in version 2.1.6 via the ycfChangeElementData() function. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files ending with "Form.php" on the server , allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2020-4053 | 1 Helm | 1 Helm | 2024-02-08 | 8.5 HIGH | 6.8 MEDIUM |
| In Helm greater than or equal to 3.0.0 and less than 3.2.4, a path traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and copy a file outside of the intended directory. This has been fixed in 3.2.4. | |||||
| CVE-2022-24877 | 1 Fluxcd | 2 Flux2, Kustomize-controller | 2024-02-08 | 6.5 MEDIUM | 8.8 HIGH |
| Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to expose sensitive data from the controller’s pod filesystem and possibly privilege escalation in multi-tenancy deployments. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. | |||||
| CVE-2022-31503 | 1 Orchest | 1 Orchest | 2024-02-08 | 6.4 MEDIUM | 9.3 CRITICAL |
| The orchest/orchest repository before 2022.05.0 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2019-20916 | 4 Debian, Opensuse, Oracle and 1 more | 5 Debian Linux, Leap, Communications Cloud Native Core Network Function Cloud Native Environment and 2 more | 2024-02-08 | 5.0 MEDIUM | 7.5 HIGH |
| The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. | |||||
| CVE-2024-24940 | 1 Jetbrains | 1 Intellij Idea | 2024-02-07 | N/A | 4.3 MEDIUM |
| In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives | |||||
| CVE-2024-0380 | 1 Bootstrapped | 1 Wp Recipe Maker | 2024-02-07 | N/A | 4.3 MEDIUM |
| The WP Recipe Maker plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 9.1.0 via the 'icon' attribute used in Shortcodes. This makes it possible for authenticated attackers, with contributor-level access and above, to include the contents of SVG files on the server, which can be leveraged for Cross-Site Scripting. | |||||
| CVE-2023-30970 | 1 Palantir | 2 Gotham Blackbird-witchcraft, Gotham Static-assets-servlet | 2024-02-07 | N/A | 6.5 MEDIUM |
| Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system. | |||||
| CVE-2022-20723 | 1 Cisco | 1 Ios Xe | 2024-02-07 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-20722 | 1 Cisco | 1 Ios Xe | 2024-02-07 | 6.8 MEDIUM | 4.9 MEDIUM |
| Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-20721 | 1 Cisco | 1 Ios Xe | 2024-02-07 | 6.8 MEDIUM | 4.9 MEDIUM |
| Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-20719 | 1 Cisco | 1 Ios Xe | 2024-02-07 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2022-20718 | 1 Cisco | 1 Ios Xe | 2024-02-07 | 9.0 HIGH | 7.2 HIGH |
| Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2024-22096 | 1 Rapidscada | 1 Rapid Scada | 2024-02-07 | N/A | 6.5 MEDIUM |
| In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can append path traversal characters to the filename when using a specific command, allowing them to read arbitrary files from the system. | |||||
| CVE-2024-21852 | 1 Rapidscada | 1 Rapid Scada | 2024-02-07 | N/A | 8.8 HIGH |
| In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can supply a malicious configuration file by utilizing a Zip Slip vulnerability in the unpacking routine to achieve remote code execution. | |||||
| CVE-2023-45027 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-02-06 | N/A | 4.9 MEDIUM |
| A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later | |||||
| CVE-2023-45026 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-02-06 | N/A | 4.9 MEDIUM |
| A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTScloud c5.1.5.2651 and later | |||||
| CVE-2024-24565 | 1 Cratedb | 1 Cratedb | 2024-02-05 | N/A | 6.5 MEDIUM |
| CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1. | |||||
| CVE-2024-22523 | 1 Fuwushe | 1 Ifair | 2024-02-05 | N/A | 7.5 HIGH |
| Directory Traversal vulnerability in Qiyu iFair version 23.8_ad0 and before, allows remote attackers to obtain sensitive information via uploadimage component. | |||||