Total
5025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-9015 | 1 Mopcms | 1 Mopcms | 2019-02-22 | 6.4 MEDIUM | 9.1 CRITICAL |
| A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the corresponding directory is deleted, as demonstrated by ./ to delete the entire web site. | |||||
| CVE-2019-8412 | 1 Feifeicms | 1 Feifeicms | 2019-02-20 | 6.5 MEDIUM | 8.8 HIGH |
| FeiFeiCms 4.0.181010 on Windows allows remote attackers to read or delete arbitrary files via index.php?s=Admin-Data-Down-id-..\ or index.php?s=Admin-Data-Del-id-..\ directory traversal. | |||||
| CVE-2019-8411 | 1 Zzcms | 1 Zzcms | 2019-02-19 | 6.4 MEDIUM | 7.5 HIGH |
| admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal. | |||||
| CVE-2015-4617 | 1 Easy2map | 1 Easy2map-photos | 2019-02-19 | 5.0 MEDIUM | 7.5 HIGH |
| Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpload.php and MapPinIconSave.php allows path traversal when specifying file names creating files outside of the upload directory. | |||||
| CVE-2019-8407 | 1 Hongcms Project | 1 Hongcms | 2019-02-19 | 5.5 MEDIUM | 6.5 MEDIUM |
| HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI. | |||||
| CVE-2019-8358 | 1 Hiawatha-webserver | 1 Hiawatha | 2019-02-19 | 6.8 MEDIUM | 8.1 HIGH |
| In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled. | |||||
| CVE-2018-20437 | 1 Mrbird | 1 Febs-shiro | 2019-02-15 | 5.0 MEDIUM | 7.5 HIGH |
| ** DISPUTED ** An issue was discovered in the fileDownload function in the CommonController class in FEBS-Shiro before 2018-11-05. An attacker can download a file via a request of the form /common/download?filename=1.jsp&delete=false. NOTE: the software maintainer disputes the significance of this report because the product uses a JAR archive for deployment, and this contains application.yml with configuration data. | |||||
| CVE-2019-1000008 | 1 Helm | 1 Helm | 2019-02-15 | 4.3 MEDIUM | 6.5 MEDIUM |
| All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The commands `helm fetch --untar` and `helm lint some.tgz` that can result when chart archive files are unpacked a file may be unpacked outside of the target directory. This attack appears to be exploitable via a victim must run a helm command on a specially crafted chart archive. This vulnerability appears to have been fixed in 2.12.2. | |||||
| CVE-2019-5910 | 1 Housegate | 1 House Gate | 2019-02-14 | 5.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in HOUSE GATE App for iOS 1.7.8 and earlier allows remote attackers to read arbitrary files via unspecified vectors. | |||||
| CVE-2018-0722 | 1 Qnap | 2 Photo Station, Qts | 2019-02-12 | 5.0 MEDIUM | 7.5 HIGH |
| Path Traversal vulnerability in Photo Station versions: 5.7.2 and earlier in QTS 4.3.4, 5.4.4 and earlier in QTS 4.3.3, 5.2.8 and earlier in QTS 4.2.6 could allow remote attackers to access sensitive information on the device. | |||||
| CVE-2019-7678 | 1 Enphase | 1 Envoy | 2019-02-12 | 7.5 HIGH | 9.8 CRITICAL |
| A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888. | |||||
| CVE-2015-2971 | 1 Seeds | 1 Acmailer | 2019-02-11 | 5.5 MEDIUM | N/A |
| Directory traversal vulnerability in Seeds acmailer before 3.8.18 and 3.9.x before 3.9.12 Beta allows remote authenticated users to delete arbitrary files via a crafted string. | |||||
| CVE-2019-6500 | 1 Axway | 1 File Tranfer Direct | 2019-02-08 | 5.0 MEDIUM | 7.5 HIGH |
| In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring. | |||||
| CVE-2019-1000009 | 1 Helm | 1 Chartmuseum | 2019-02-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| Helm ChartMuseum version >=0.1.0 and < 0.8.1 contains a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in HTTP API to save charts that can result in a specially crafted chart could be uploaded and saved outside the intended location. This attack appears to be exploitable via A POST request to the HTTP API can save a chart archive outside of the intended directory. If authentication is, optionally, enabled this requires an authorized user to do so. This vulnerability appears to have been fixed in 0.8.1. | |||||
| CVE-2018-20332 | 1 Openwebif Project | 1 Openwebif | 2019-02-07 | 5.0 MEDIUM | 7.5 HIGH |
| An issue has been discovered in the OpenWebif plugin through 1.2.4 for Enigma2 based devices. Reading of arbitrary files is possible with /file?action=download&file= followed by a full pathname, and listing of arbitrary directories is possible with /file?action=download&dir= followed by a full pathname. This is related to plugin/controllers/file.py in the e2openplugin-OpenWebif project. | |||||
| CVE-2015-2862 | 1 Kaseya | 1 Virtual System Administrator | 2019-02-05 | 4.0 MEDIUM | N/A |
| Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote authenticated users to read arbitrary files via a crafted HTTP request. | |||||
| CVE-2019-7234 | 1 Idreamsoft | 1 Icms | 2019-02-05 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in idreamsoft iCMS 7.0.13. admincp.php?app=apps&do=save allows directory traversal via _app=/../ to begin the process of creating a ZIP archive file with the complete contents of any directory because of an apps.admincp.php error. This ZIP archive file can then be downloaded via an admincp.php?app=apps&do=pack request. | |||||
| CVE-2015-1195 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2019-02-04 | 6.5 MEDIUM | N/A |
| The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493. | |||||
| CVE-2019-7160 | 1 Idreamsoft | 1 Icms | 2019-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| idreamsoft iCMS 7.0.13 allows admincp.php?app=files ../ Directory Traversal via the udir parameter to files.admincp.php, resulting in execution of arbitrary PHP code from a ZIP file via the admincp.php?app=apps zipfile parameter to apps.admincp.php. | |||||
| CVE-2017-3980 | 1 Mcafee | 1 Epolicy Orchestrator | 2019-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| A directory traversal vulnerability in the ePO Extension in McAfee ePolicy Orchestrator (ePO) 5.9.0, 5.3.2, and 5.1.3 and earlier allows remote authenticated users to execute a command of their choice via an authenticated ePO session. | |||||