Total
6050 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5257 | 2 Microsoft, Whitehsbg | 2 Windows, Jndiexploit | 2024-06-05 | 2.7 LOW | 5.7 MEDIUM |
| A vulnerability was found in WhiteHSBG JNDIExploit 1.4 on Windows. It has been rated as problematic. Affected by this issue is the function handleFileRequest of the file src/main/java/com/feihong/ldap/HTTPServer.java. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. VDB-240866 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-5353 | 2024-06-04 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical has been found in anji-plus AJ-Report up to 1.4.1. This affects the function decompress of the component ZIP File Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-266265 was assigned to this vulnerability. | |||||
| CVE-2024-3311 | 2024-06-04 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been declared as critical. Affected by this vulnerability is the function ZipUtils.unZipFiles of the file controller/admin/ThemesController.java. The manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.3.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-259369 was assigned to this vulnerability. | |||||
| CVE-2024-3195 | 2024-06-04 | 5.8 MEDIUM | 4.7 MEDIUM | ||
| A vulnerability was found in MailCleaner up to 2023.03.14. It has been classified as critical. This affects an unknown part of the component Admin Endpoints. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-262311. | |||||
| CVE-2022-32275 | 1 Grafana | 1 Grafana | 2024-06-04 | 5.0 MEDIUM | 7.5 HIGH |
| Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content | |||||
| CVE-2018-20437 | 1 Mrbird | 1 Febs-shiro | 2024-06-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the fileDownload function in the CommonController class in FEBS-Shiro before 2018-11-05. An attacker can download a file via a request of the form /common/download?filename=1.jsp&delete=false. NOTE: the software maintainer disputes the significance of this report because the product uses a JAR archive for deployment, and this contains application.yml with configuration data | |||||
| CVE-2024-33568 | 2024-06-04 | N/A | 8.5 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data vulnerability in BdThemes Element Pack Pro allows Path Traversal, Object Injection.This issue affects Element Pack Pro: from n/a through 7.7.4. | |||||
| CVE-2024-33541 | 2024-06-04 | N/A | 6.5 MEDIUM | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BetterAddons Better Elementor Addons allows PHP Local File Inclusion.This issue affects Better Elementor Addons: from n/a through 1.4.1. | |||||
| CVE-2024-33557 | 2024-06-04 | N/A | 8.5 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore Core allows PHP Local File Inclusion.This issue affects XStore Core: from n/a through 5.3.8. | |||||
| CVE-2024-33560 | 2024-06-04 | N/A | 9.0 CRITICAL | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 8theme XStore allows PHP Local File Inclusion.This issue affects XStore: from n/a through 9.3.8. | |||||
| CVE-2024-33628 | 2024-06-04 | N/A | 8.8 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in XforWooCommerce allows PHP Local File Inclusion.This issue affects XforWooCommerce: from n/a through 2.0.2. | |||||
| CVE-2024-27776 | 2024-06-03 | N/A | 9.8 CRITICAL | ||
| MileSight DeviceHub - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') may allow Unauthenticated RCE | |||||
| CVE-2024-5433 | 2024-05-29 | N/A | N/A | ||
| The Campbell Scientific CSI Web Server supports a command that will return the most recent file that matches a given expression. A specially crafted expression can lead to a path traversal vulnerability. This command combined with a specially crafted expression allows anonymous, unauthenticated access (allowed by default) by an attacker to files and directories outside of the webserver root directory they should be restricted to. | |||||
| CVE-2023-38176 | 1 Microsoft | 1 Azure Arc-enabled Servers | 2024-05-29 | N/A | 7.0 HIGH |
| Azure Arc-Enabled Servers Elevation of Privilege Vulnerability | |||||
| CVE-2023-5938 | 2024-05-28 | N/A | 8.0 HIGH | ||
| Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via 'zip slip' attacks. An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to have arbitrary files extracted to arbitrary filesystem locations. Leveraging this issue, an attacker may be able to overwrite arbitrary files on the target filesystem and cause critical impacts on the system (e.g., arbitrary command execution on the victim’s machine). | |||||
| CVE-2024-35219 | 2024-05-28 | N/A | 8.3 HIGH | ||
| OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the `outputFolder` option. The issue was fixed in version 7.6.0 by removing the usage of the `outputFolder` option. No known workarounds are available. | |||||
| CVE-2021-26725 | 1 Nozominetworks | 2 Central Management Control, Guardian | 2024-05-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| Path Traversal vulnerability when changing timezone using web GUI of Nozomi Networks Guardian, CMC allows an authenticated administrator to read-protected system files. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions. | |||||
| CVE-2024-34060 | 2024-05-24 | N/A | 8.8 HIGH | ||
| IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the filename is not safely handled and may cause an Arbitrary File Write. This can lead to a remote code execution (RCE) when combined with a Server Side Template Injection (SSTI). This vulnerability has been patched in version 1.0.0. | |||||
| CVE-2024-5040 | 2024-05-22 | N/A | 7.8 HIGH | ||
| There are multiple ways in LCDS LAquis SCADA for an attacker to access locations outside of their own directory. | |||||
| CVE-2021-29101 | 1 Esri | 1 Arcgis Geoevent Server | 2024-05-21 | 5.0 MEDIUM | 7.5 HIGH |
| ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only directory path traversal vulnerability that could allow an unauthenticated, remote attacker to perform directory traversal attacks and read arbitrary files on the system. | |||||