Total
5025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-46178 | 1 Metersphere | 1 Metersphere | 2023-01-04 | N/A | 8.8 HIGH |
| MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.1 allow users to upload a file, but do not validate the file name, which may lead to upload file to any path. The vulnerability has been fixed in v2.5.1. There are no workarounds. | |||||
| CVE-2022-46171 | 1 Tauri | 1 Tauri | 2023-01-04 | N/A | 7.7 HIGH |
| Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As `**` allows for sub directories the behavior there is also as expected. The issue has been patched in the latest release and was backported into the currently supported 1.x branches. There are no known workarounds at the time of publication. | |||||
| CVE-2020-36629 | 1 Httpster Project | 1 Httpster | 2023-01-04 | N/A | 7.5 HIGH |
| A vulnerability classified as critical was found in SimbCo httpster. This vulnerability affects the function fs.realpathSync of the file src/server.coffee. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The name of the patch is d3055b3e30b40b65d30c5a06d6e053dffa7f35d0. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216748. | |||||
| CVE-2022-45894 | 1 Planetestream | 1 Planet Estream | 2023-01-04 | N/A | 6.5 MEDIUM |
| GetFile.aspx in Planet eStream before 6.72.10.07 allows ..\ directory traversal to read arbitrary local files. | |||||
| CVE-2022-4583 | 1 Neuroml | 1 Jlems | 2023-01-03 | N/A | 8.8 HIGH |
| A vulnerability was found in jLEMS. It has been declared as critical. Affected by this vulnerability is the function unpackJar of the file src/main/java/org/lemsml/jlems/io/util/JUtil.java. The manipulation leads to path traversal. The attack can be launched remotely. The name of the patch is 8c224637d7d561076364a9e3c2c375daeaf463dc. It is recommended to apply a patch to fix this issue. The identifier VDB-216169 was assigned to this vulnerability. | |||||
| CVE-2022-25895 | 1 Lite-dev-server Project | 1 Lite-dev-server | 2023-01-03 | N/A | 7.5 HIGH |
| All versions of package lite-dev-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code. | |||||
| CVE-2022-44016 | 1 Simmeth | 1 Lieferantenmanager | 2022-12-30 | N/A | 7.5 HIGH |
| An issue was discovered in Simmeth Lieferantenmanager before 5.6. An attacker can download arbitrary files from the web server by abusing an API call: /DS/LM_API/api/ConfigurationService/GetImages with an '"ImagesPath":"C:\\"' value. | |||||
| CVE-2022-46492 | 1 Nbnbk Project | 1 Nbnbk | 2022-12-30 | N/A | 6.5 MEDIUM |
| nbnbk commit 879858451d53261d10f77d4709aee2d01c72c301 was discovered to contain an arbitrary file read vulnerability via the component /api/Index/getFileBinary. | |||||
| CVE-2022-41591 | 1 Huawei | 2 Emui, Harmonyos | 2022-12-29 | N/A | 7.5 HIGH |
| The backup module has a path traversal vulnerability. Successful exploitation of this vulnerability causes unauthorized access to other system files. | |||||
| CVE-2022-25931 | 1 Easy-static-server Project | 1 Easy-static-server | 2022-12-29 | N/A | 7.5 HIGH |
| All versions of package easy-static-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the req.url user input that is passed to the server code. | |||||
| CVE-2022-36221 | 1 Nokia | 2 Fastmile, Fastmile Firmware | 2022-12-28 | N/A | 6.5 MEDIUM |
| Nokia Fastmile 3tg00118abad52 is affected by an authenticated path traversal vulnerability which allows attackers to read any named pipe file on the system. | |||||
| CVE-2022-3184 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2022-12-28 | N/A | 9.8 CRITICAL |
| Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory. | |||||
| CVE-2022-43858 | 1 Ibm | 1 I | 2022-12-28 | N/A | 4.3 MEDIUM |
| IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to access the file system and download files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks by modifying a parameter thereby gaining access to their files through this interface. IBM X-Force ID: 239303. | |||||
| CVE-2022-43857 | 1 Ibm | 1 I | 2022-12-28 | N/A | 4.3 MEDIUM |
| IBM Navigator for i 7.3, 7.4 and 7.5 could allow an authenticated user to access IBM Navigator for i log files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks and download log files by modifying servlet filter. IBM X-Force ID: 239301. | |||||
| CVE-2022-40607 | 2 Ibm, Linux | 2 Spectrum Scale, Linux Kernel | 2022-12-23 | N/A | 6.8 MEDIUM |
| IBM Spectrum Scale 5.1 could allow users with permissions to create pod, persistent volume and persistent volume claim to access files and directories outside of the volume, including on the host filesystem. IBM X-Force ID: 235740. | |||||
| CVE-2022-4063 | 1 Pluginus | 1 Inpost Gallery | 2022-12-23 | N/A | 9.8 CRITICAL |
| The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers. | |||||
| CVE-2022-4594 | 1 Tjws2 Project | 1 Tjws2 | 2022-12-22 | N/A | 9.8 CRITICAL |
| A vulnerability was found in drogatkin TJWS2. It has been declared as critical. Affected by this vulnerability is the function deployWar of the file 1.x/src/rogatkin/web/WarRoller.java. The manipulation leads to path traversal. The attack can be launched remotely. The name of the patch is 1bac15c496ec54efe21ad7fab4e17633778582fc. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216187. | |||||
| CVE-2022-4572 | 1 Ubi Reader Project | 1 Ubi Reader | 2022-12-22 | N/A | 7.1 HIGH |
| A vulnerability, which was classified as problematic, has been found in UBI Reader up to 0.8.0. Affected by this issue is the function ubireader_extract_files of the file ubireader/ubifs/output.py of the component UBIFS File Handler. The manipulation leads to path traversal. The attack may be launched remotely. Upgrading to version 0.8.5 is able to address this issue. The name of the patch is d5d68e6b1b9f7070c29df5f67fc060f579ae9139. It is recommended to upgrade the affected component. VDB-216146 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-23530 | 1 Datadoghq | 1 Guarddog | 2022-12-22 | N/A | 6.5 MEDIUM |
| GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpack_archive() from a potentially malicious tarball without validating that the destination file path is within the intended destination directory can cause files outside the destination directory to be overwritten. This issue is patched in version 0.1.8. Potential workarounds include using a safer module, like zipfile, and validating the location of the extracted files and discarding those with malicious paths. | |||||
| CVE-2022-46137 | 1 Aerocms Project | 1 Aerocms | 2022-12-21 | N/A | 7.5 HIGH |
| AeroCMS v0.0.1 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: AeroCMS v0.0.1. | |||||