Total
6050 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5902 | 1 F5 | 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more | 2023-11-14 | 10.0 HIGH | 9.8 CRITICAL |
| In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages. | |||||
| CVE-2023-41344 | 1 Ncsist | 1 Mobile Device Manager | 2023-11-13 | N/A | 7.5 HIGH |
| NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and read arbitrary system files. | |||||
| CVE-2023-34259 | 1 Kyocera | 2 D-copia253mf Plus, D-copia253mf Plus Firmware | 2023-11-13 | N/A | 4.9 MEDIUM |
| Kyocera TASKalfa 4053ci printers through 2VG_S000.002.561 allow /wlmdeu%2f%2e%2e%2f%2e%2e directory traversal to read arbitrary files on the filesystem, even files that require root privileges. NOTE: this issue exists because of an incomplete fix for CVE-2020-23575. | |||||
| CVE-2023-34260 | 1 Kyocera | 2 D-copia253mf Plus, D-copia253mf Plus Firmware | 2023-11-13 | N/A | 7.5 HIGH |
| Kyocera TASKalfa 4053ci printers through 2VG_S000.002.561 allow a denial of service (service outage) via /wlmdeu%2f%2e%2e%2f%2e%2e followed by a directory reference such as %2fetc%00index.htm to try to read the /etc directory. | |||||
| CVE-2023-47246 | 1 Sysaid | 1 Sysaid On-premises | 2023-11-13 | N/A | 9.8 CRITICAL |
| In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023. | |||||
| CVE-2023-0745 | 1 Yugabyte | 1 Yugabytedb Managed | 2023-11-10 | N/A | 9.8 CRITICAL |
| The High Availability functionality of Yugabyte Anywhere can be abused to write arbitrary files through the backup upload endpoint by using path traversal characters. This vulnerability is associated with program files PlatformReplicationManager.Java. This issue affects YugabyteDB Anywhere: from 2.0.0.0 through 2.13.0.0 | |||||
| CVE-2023-33227 | 1 Solarwinds | 1 Network Configuration Manager | 2023-11-09 | N/A | 8.8 HIGH |
| The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability allows a low level user to perform the actions with SYSTEM privileges. | |||||
| CVE-2023-33226 | 1 Solarwinds | 1 Network Configuration Manager | 2023-11-09 | N/A | 8.8 HIGH |
| The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. | |||||
| CVE-2018-10824 | 1 Dlink | 15 Dir-140l, Dir-140l Firmware, Dir-640l and 12 more | 2023-11-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access. | |||||
| CVE-2018-10822 | 1 Dlink | 15 Dir-140l, Dir-140l Firmware, Dir-640l and 12 more | 2023-11-08 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers to read arbitrary files via a /.. or // after "GET /uir" in an HTTP request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-6190. | |||||
| CVE-2023-2621 | 1 Hitachienergy | 1 Modular Advanced Control For Hvdc | 2023-11-08 | N/A | 6.5 MEDIUM |
| The McFeeder server (distributed as part of SSW package), is susceptible to an arbitrary file write vulnerability on the MAIN computer system. This vulnerability stems from the use of an outdated version of a third-party library, which is used to extract archives uploaded to McFeeder server. An authenticated malicious client can exploit this vulnerability by uploading a crafted ZIP archive via the network to McFeeder’s service endpoint. | |||||
| CVE-2017-12943 | 1 Dlink | 2 Dir-600 B1, Dir-600 B1 Firmware | 2023-11-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password. | |||||
| CVE-2023-46237 | 1 Fogproject | 1 Fogproject | 2023-11-08 | N/A | 5.3 MEDIUM |
| FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10, an endpoint intended to offer limited enumeration abilities to authenticated users was accessible to unauthenticated users. This enabled unauthenticated users to discover files and their respective paths that were visible to the Apache user group. Version 1.5.10 contains a patch for this issue. | |||||
| CVE-2023-43803 | 1 Arduino | 1 Create Agent | 2023-11-08 | N/A | 7.1 HIGH |
| Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-42804 | 1 Bigbluebutton | 1 Bigbluebutton | 2023-11-07 | N/A | 5.3 MEDIUM |
| BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds. | |||||
| CVE-2023-46864 | 1 Peppermint | 1 Peppermint | 2023-11-07 | N/A | 5.3 MEDIUM |
| Peppermint Ticket Management through 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/ticket/1/file/download?filepath=../ POST request. | |||||
| CVE-2023-46863 | 1 Peppermint | 1 Peppermint | 2023-11-07 | N/A | 7.5 HIGH |
| Peppermint Ticket Management before 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/users/file/download?filepath=./../ POST request. | |||||
| CVE-2023-27170 | 1 Xpand-it | 1 Write-back Manager | 2023-11-07 | N/A | 7.5 HIGH |
| Xpand IT Write-back manager v2.3.1 allows attackers to perform a directory traversal via modification of the siteName parameter. | |||||
| CVE-2018-16739 | 1 Abus | 94 Tvip 10000, Tvip 10000 Firmware, Tvip 10001 and 91 more | 2023-11-07 | N/A | 8.8 HIGH |
| An issue was discovered on certain ABUS TVIP devices. Due to a path traversal in /opt/cgi/admin/filewrite, an attacker can write to files, and thus execute code arbitrarily with root privileges. | |||||
| CVE-2023-5414 | 1 Icegram | 1 Icegram Express | 2023-11-07 | N/A | 7.2 HIGH |
| The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including those belonging to other sites, for example in shared hosting environments. | |||||