Total
5025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37500 | 1 Reprisesoftware | 1 Reprise License Manager | 2023-01-27 | N/A | 8.1 HIGH |
| Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server. | |||||
| CVE-2022-47747 | 1 Uber | 1 Kraken | 2023-01-27 | N/A | 7.5 HIGH |
| kraken <= 0.1.4 has an arbitrary file read vulnerability via the component testfs. | |||||
| CVE-2023-0126 | 1 Sonicwall | 2 Sma1000, Sma1000 Firmware | 2023-01-26 | N/A | 7.5 HIGH |
| Pre-authentication path traversal vulnerability in SMA1000 firmware version 12.4.2, which allows an unauthenticated attacker to access arbitrary files and directories stored outside the web root directory. | |||||
| CVE-2022-3782 | 1 Redhat | 1 Keycloak | 2023-01-25 | N/A | 9.1 CRITICAL |
| keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field. | |||||
| CVE-2022-39347 | 2 Fedoraproject, Freerdp | 2 Fedora, Freerdp | 2023-01-25 | N/A | 5.7 MEDIUM |
| FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch. | |||||
| CVE-2020-36651 | 1 Nodeserver Project | 1 Nodeserver | 2023-01-25 | N/A | 7.5 HIGH |
| A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of the file nodeserver.js. The manipulation leads to path traversal. The name of the patch is c4c0f0138ab5afbac58e03915d446680421bde28. It is recommended to apply a patch to fix this issue. The identifier VDB-218461 was assigned to this vulnerability. | |||||
| CVE-2014-125080 | 1 Faplanet Project | 1 Faplanet | 2023-01-24 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in frontaccounting faplanet and classified as critical. This vulnerability affects unknown code. The manipulation leads to path traversal. The name of the patch is a5dcd87f46080a624b1a9ad4b0dd035bbd24ac50. It is recommended to apply a patch to fix this issue. VDB-218398 is the identifier assigned to this vulnerability. | |||||
| CVE-2019-13385 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.840, File and Directory Information Exposure in filemanager allows attackers to enumerate users and check for active users of the application by reading /tmp/login.log. | |||||
| CVE-2018-18323 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI. | |||||
| CVE-2016-15019 | 1 Jekbox Project | 1 Jekbox | 2023-01-24 | N/A | 7.5 HIGH |
| A vulnerability was found in tombh jekbox. It has been rated as problematic. This issue affects some unknown processing of the file lib/server.rb. The manipulation leads to exposure of information through directory listing. The attack may be initiated remotely. The name of the patch is 64eb2677671018fc08b96718b81e3dbc83693190. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218375. | |||||
| CVE-2022-4101 | 1 Images Optimize And Upload Cf7 Project | 1 Images Optimize And Upload Cf7 | 2023-01-24 | N/A | 9.1 CRITICAL |
| The Images Optimize and Upload CF7 WordPress plugin through 2.1.4 does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack. | |||||
| CVE-2022-41956 | 1 Autolabproject | 1 Autolab | 2023-01-24 | N/A | 6.5 MEDIUM |
| Autolab is a course management service, initially developed by a team of students at Carnegie Mellon University, that enables instructors to offer autograded programming assignments to their students over the Web. A file disclosure vulnerability was discovered in Autolab's remote handin feature, whereby users are able to hand-in assignments using paths outside their submission directory. Users can then view the submission to view the file's contents. The vulnerability has been patched in version 2.10.0. As a workaround, ensure that the field for the remote handin feature is empty (Edit Assessment > Advanced > Remote handin path), and that you are not running Autolab as `root` (or any user that has write access to `/`). Alternatively, disable the remote handin feature if it is unneeded by replacing the body of `local_submit` in `app/controllers/assessment/handin.rb` with `render(plain: "Feature disabled", status: :bad_request) && return`. | |||||
| CVE-2015-10043 | 1 Apollo Project | 1 Apollo | 2023-01-24 | N/A | 8.8 HIGH |
| A vulnerability, which was classified as critical, was found in abreen Apollo. This affects an unknown part. The manipulation of the argument file leads to path traversal. The name of the patch is 6206406630780bbd074aff34f4683fb764faba71. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218307. | |||||
| CVE-2022-42280 | 1 Nvidia | 2 Bmc, Dgx A100 | 2023-01-24 | N/A | 7.8 HIGH |
| NVIDIA BMC contains a vulnerability in SPX REST auth handler, where an un-authorized attacker can exploit a path traversal, which may lead to authentication bypass. | |||||
| CVE-2022-25046 | 1 Control-webpanel | 1 Webpanel | 2023-01-24 | 10.0 HIGH | 9.8 CRITICAL |
| A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2020-15643 | 1 Marvell | 1 Qconvergeconsole | 2023-01-23 | 9.0 HIGH | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole 5.5.0.64. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the saveAsText method of the GWTTestServiceImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-10549. | |||||
| CVE-2022-23532 | 1 Neo4j | 1 Awesome Procedures On Cyper | 2023-01-23 | N/A | 6.5 MEDIUM |
| APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially break out of the expected directory. The vulnerability is such that files could only be created but not overwritten. For the vulnerability to be exploited, an attacker would need access to execute an arbitrary query, either by having access to an authenticated Neo4j client, or a Cypher injection vulnerability in an application. The minimum versions containing patch for this vulnerability are 4.4.0.12 and 4.3.0.12 and 5.3.1. As a workaround, you can control the allowlist of the procedures that can be used in your system, and/or turn off local file access by setting apoc.export.file.enabled=false. | |||||
| CVE-2022-2893 | 1 Ronds | 1 Equipment Predictive Maintenance | 2023-01-23 | N/A | 6.5 MEDIUM |
| RONDS EPM version 1.19.5 does not properly validate the filename parameter, which could allow an unauthorized user to specify file paths and download files. | |||||
| CVE-2022-38723 | 1 Gravitee | 1 Api Management | 2023-01-23 | N/A | 8.6 HIGH |
| Gravitee API Management before 3.15.13 allows path traversal through HTML injection. | |||||
| CVE-2022-42136 | 1 Mailenable | 1 Mailenable | 2023-01-23 | N/A | 8.8 HIGH |
| Authenticated mail users, under specific circumstances, could add files with unsanitized content in public folders where the IIS user had permission to access. That action, could lead an attacker to store arbitrary code on that files and execute RCE commands. | |||||