Total
5025 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-20811 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2022-10-31 | N/A | 7.2 HIGH |
Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
CVE-2022-20953 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2022-10-31 | N/A | 5.5 MEDIUM |
Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
CVE-2022-20955 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2022-10-31 | N/A | 7.1 HIGH |
Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
CVE-2022-20954 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2022-10-31 | N/A | 7.1 HIGH |
Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
CVE-2022-20776 | 1 Cisco | 2 Roomos, Telepresence Collaboration Endpoint | 2022-10-31 | N/A | 6.7 MEDIUM |
Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
CVE-2022-38196 | 1 Esri | 1 Arcgis Server | 2022-10-31 | N/A | 8.1 HIGH |
Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory. | |||||
CVE-2022-3387 | 1 Advantech | 1 R-seenet | 2022-10-28 | N/A | 5.3 MEDIUM |
Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks. An unauthorized attacker could remotely exploit vulnerable PHP code to delete .PDF files. | |||||
CVE-2022-43748 | 1 Synology | 1 Presto File Server | 2022-10-28 | N/A | 7.5 HIGH |
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in file operation management in Synology Presto File Server before 2.1.2-1601 allows remote attackers to write arbitrary files via unspecified vectors. | |||||
CVE-2021-41773 | 4 Apache, Fedoraproject, Netapp and 1 more | 4 Http Server, Fedora, Cloud Backup and 1 more | 2022-10-28 | 4.3 MEDIUM | 7.5 HIGH |
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013. | |||||
CVE-2017-9947 | 1 Siemens | 3 Apogee Pxc Bacnet Automation Controller, Apogee Pxc Bacnet Automation Controller Firmware, Talon Tc Bacnet Automation Controller | 2022-10-28 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices. | |||||
CVE-2021-43788 | 1 Nodebb | 1 Nodebb | 2022-10-27 | 4.0 MEDIUM | 5.0 MEDIUM |
Nodebb is an open source Node.js based forum software. Prior to v1.18.5, a path traversal vulnerability was present that allowed users to access JSON files outside of the expected `languages/` directory. The vulnerability has been patched as of v1.18.5. Users are advised to upgrade as soon as possible. | |||||
CVE-2021-24761 | 1 Bestwebsoft | 1 Error Log Viewer | 2022-10-27 | 4.3 MEDIUM | 6.5 MEDIUM |
The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. | |||||
CVE-2022-36831 | 1 Samsung | 1 Notes | 2022-10-27 | N/A | 5.5 MEDIUM |
Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39 allows attacker to access some file as Samsung Notes permission. | |||||
CVE-2021-33036 | 1 Apache | 1 Hadoop | 2022-10-27 | 9.0 HIGH | 8.8 HIGH |
In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | |||||
CVE-2021-29425 | 4 Apache, Debian, Netapp and 1 more | 60 Commons Io, Debian Linux, Active Iq Unified Manager and 57 more | 2022-10-27 | 5.8 MEDIUM | 4.8 MEDIUM |
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. | |||||
CVE-2021-3709 | 1 Canonical | 2 Apport, Ubuntu Linux | 2022-10-27 | 2.1 LOW | 5.5 MEDIUM |
Function check_attachment_for_errors() in file data/general-hooks/ubuntu.py could be tricked into exposing private data via a constructed crash file. This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3; | |||||
CVE-2022-24992 | 1 Qr Code Generator Project | 1 Qr Code Generator | 2022-10-27 | N/A | 7.5 HIGH |
A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal. | |||||
CVE-2022-31163 | 2 Debian, Tzinfo Project | 2 Debian Linux, Tzinfo | 2022-10-26 | N/A | 8.1 HIGH |
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`. | |||||
CVE-2022-33897 | 1 Robustel | 2 R1510, R1510 Firmware | 2022-10-25 | N/A | 9.1 CRITICAL |
A directory traversal vulnerability exists in the web_server /ajax/remove/ functionality of Robustel R1510 3.1.16. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
CVE-2022-35216 | 1 Omicard Edm Project | 1 Omicard Edm | 2022-10-25 | N/A | 7.5 HIGH |
OMICARD EDM’s mail image relay function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to by-pass authentication and access arbitrary system files. |