Total
5025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-27896 | 1 Apple | 2 Mac Os X, Macos | 2022-10-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| A path handling issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.0.1. A remote attacker may be able to modify the file system. | |||||
| CVE-2022-2554 | 1 Shortpixel | 1 Enable Media Replace | 2022-10-11 | N/A | 4.9 MEDIUM |
| The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example | |||||
| CVE-2022-39858 | 1 Samsung | 1 Factorycamera | 2022-10-07 | N/A | 7.8 HIGH |
| Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to write arbitrary file as FactoryCamera privilege. | |||||
| CVE-2020-8865 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2022-10-07 | 6.5 MEDIUM | 6.3 MEDIUM |
| This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469. | |||||
| CVE-2020-8570 | 1 Kubernetes | 1 Java | 2022-10-06 | 6.4 MEDIUM | 9.1 CRITICAL |
| Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code. | |||||
| CVE-2020-7478 | 1 Schneider-electric | 1 Interactive Graphical Scada System | 2022-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory exists in IGSS (Versions 14 and prior using the service: IGSSupdate), which could allow a remote unauthenticated attacker to read arbitrary files from the IGSS server PC on an unrestricted or shared network when the IGSS Update Service is enabled. | |||||
| CVE-2020-13383 | 1 Os4ed | 1 Opensis | 2022-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| openSIS through 7.4 allows Directory Traversal. | |||||
| CVE-2020-8913 | 1 Android | 1 Play Core Library | 2022-10-06 | 6.8 MEDIUM | 8.8 HIGH |
| A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device. We recommend all users update Play Core to version 1.7.2 or later. | |||||
| CVE-2020-9364 | 1 Creative-solutions | 1 Creative Contact Form | 2022-10-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in helpers/mailer.php in the Creative Contact Form extension 4.6.2 before 2019-12-03 for Joomla!. A directory traversal vulnerability resides in the filename field for uploaded attachments via the creativecontactform_upload parameter. An attacker could exploit this vulnerability with the "Send me a copy" option to receive any files of the filesystem via email. | |||||
| CVE-2022-3389 | 1 Ikus-soft | 1 Rdiffweb | 2022-10-06 | N/A | 7.5 HIGH |
| Path Traversal in GitHub repository ikus060/rdiffweb prior to 2.4.10. | |||||
| CVE-2020-10977 | 1 Gitlab | 1 Gitlab | 2022-10-06 | 2.1 LOW | 5.5 MEDIUM |
| GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. | |||||
| CVE-2020-10457 | 1 Chadhaajay | 1 Phpkb | 2022-10-06 | 4.0 MEDIUM | 2.7 LOW |
| Path Traversal in admin/imagepaster/image-renaming.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to rename any file on the webserver using a dot-dot-slash sequence (../) via the POST parameter imgName (for the new name) and imgUrl (for the current file to be renamed). | |||||
| CVE-2020-10458 | 1 Chadhaajay | 1 Phpkb | 2022-10-06 | 5.5 MEDIUM | 6.5 MEDIUM |
| Path Traversal in admin/imagepaster/operations.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to delete any folder on the webserver using a dot-dot-slash sequence (../) via the GET parameter crdir, when the GET parameter action is set to df, causing a Denial of Service. | |||||
| CVE-2020-10459 | 1 Chadhaajay | 1 Phpkb | 2022-10-06 | 4.0 MEDIUM | 2.7 LOW |
| Path Traversal in admin/assetmanager/assetmanager.php (vulnerable function saved in admin/assetmanager/functions.php) in Chadha PHPKB Standard Multi-Language 9 allows attackers to list the files that are stored on the webserver using a dot-dot-slash sequence (../) via the POST parameter inpCurrFolder. | |||||
| CVE-2020-12112 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. | |||||
| CVE-2021-42013 | 4 Apache, Fedoraproject, Netapp and 1 more | 6 Http Server, Fedora, Cloud Backup and 3 more | 2022-10-05 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. | |||||
| CVE-2020-20944 | 1 Qibosoft | 1 Qibosoft | 2022-10-05 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files. | |||||
| CVE-2020-18127 | 1 Indexhibit | 1 Indexhibit | 2022-10-05 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue in the /config/config.php component of Indexhibit 2.1.5 allows attackers to arbitrarily view files. | |||||
| CVE-2020-11738 | 1 Snapcreek | 1 Duplicator | 2022-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init. | |||||
| CVE-2020-20907 | 2 Metinfo, Microsoft | 2 Metinfo, Windows | 2022-10-05 | 6.4 MEDIUM | 9.1 CRITICAL |
| MetInfo 7.0 beta is affected by a file modification vulnerability. Attackers can delete and modify ini files in app/system/language/admin/language_general.class.php and app/system/include/function/file.func.php. | |||||