Total
5025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27844 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2022-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Arbitrary File Read vulnerability in WPvivid Team Migration, Backup, Staging – WPvivid (WordPress plugin) versions <= 0.9.70 | |||||
| CVE-2021-22794 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2022-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution. Affected Product: StruxureWare Data Center Expert (V7.8.1 and prior) | |||||
| CVE-2022-0436 | 1 Gruntjs | 1 Grunt | 2022-04-20 | 2.1 LOW | 5.5 MEDIUM |
| Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2. | |||||
| CVE-2021-43741 | 1 Cmsimple | 1 Cmsimple | 2022-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| CMSimple 5.4 is vulnerable to Directory Traversal. The vulnerability exists when a user changes the file name to malicious file on config.php leading to remote code execution. | |||||
| CVE-2022-24248 | 1 Ritecms | 1 Ritecms | 2022-04-20 | 8.5 HIGH | 6.5 MEDIUM |
| RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion via path traversal vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain web server security mechanisms such as deleting .htaccess file that would deactivate those security constraints. | |||||
| CVE-2022-24247 | 1 Ritecms | 1 Ritecms | 2022-04-19 | 8.5 HIGH | 6.5 MEDIUM |
| RiteCMS version 3.1.0 and below suffers from an arbitrary file overwrite via path traversal vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to overwrite any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to write) resulting a remote code execution. | |||||
| CVE-2018-17365 | 1 Seacms | 1 Seacms | 2022-04-19 | 6.4 MEDIUM | 7.5 HIGH |
| SeaCMS 6.64 and 7.2 allows remote attackers to delete arbitrary files via the filedir parameter. | |||||
| CVE-2022-27279 | 1 Inhandnetworks | 2 Inrouter 900, Inrouter 900 Firmware | 2022-04-18 | 5.0 MEDIUM | 7.5 HIGH |
| InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain an arbitrary file read via the function sub_177E0. | |||||
| CVE-2022-27277 | 1 Inhandnetworks | 2 Inrouter 900, Inrouter 900 Firmware | 2022-04-18 | 6.4 MEDIUM | 9.1 CRITICAL |
| InHand Networks InRouter 900 Industrial 4G Router before v1.0.0.r11700 was discovered to contain an arbitrary file deletion vulnerability via the function sub_17C08. | |||||
| CVE-2019-9858 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2022-04-18 | 6.5 MEDIUM | 8.8 HIGH |
| Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it's never submitted by the forms, which default to securely using a random path.) | |||||
| CVE-2019-13237 | 1 Alkacon | 1 Opencms Apollo Template | 2022-04-18 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple resources vulnerable to Local File Inclusion that allow an attacker to access server resources: clearhistory.jsp, convertxml.jsp, group_new.jsp, loginmessage.jsp, xmlcontentrepair.jsp, and /system/workplace/admin/history/settings/index.jsp. | |||||
| CVE-2020-4272 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2022-04-18 | 6.5 MEDIUM | 8.8 HIGH |
| IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-ForceID: 175898. | |||||
| CVE-2019-14205 | 1 Nevma | 1 Adaptive Images | 2022-04-18 | 5.0 MEDIUM | 7.5 HIGH |
| A Local File Inclusion vulnerability in the Nevma Adaptive Images plugin before 0.6.67 for WordPress allows remote attackers to retrieve arbitrary files via the $REQUEST['adaptive-images-settings']['source_file'] parameter in adaptive-images-script.php. | |||||
| CVE-2014-5111 | 1 Netfortris | 1 Trixbox | 2022-04-18 | 5.0 MEDIUM | N/A |
| Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/. | |||||
| CVE-2021-3199 | 1 Onlyoffice | 1 Document Server | 2022-04-15 | 7.5 HIGH | 9.8 CRITICAL |
| Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter. | |||||
| CVE-2021-37293 | 1 Kevinlab | 1 4st L-bems | 2022-04-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Directory Traversal vulnerability exists in KevinLAB Inc Building Energy Management System 4ST BEMS 1.0.0 via the page GET parameter in index.php. | |||||
| CVE-2022-23971 | 1 Asus | 2 Rt-ax56u, Rt-ax56u Firmware | 2022-04-14 | 4.8 MEDIUM | 8.1 HIGH |
| ASUS RT-AX56U’s update_PLC/PORT file has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated LAN attacker can overwrite a system file by uploading another PLC/PORT file with the same file name, which results in service disruption. | |||||
| CVE-2022-23970 | 1 Asus | 2 Rt-ax56u, Rt-ax56u Firmware | 2022-04-14 | 4.8 MEDIUM | 8.1 HIGH |
| ASUS RT-AX56U’s update_json function has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated LAN attacker can overwrite a system file by uploading another file with the same file name, which results in service disruption. | |||||
| CVE-2021-36288 | 1 Dell | 10 Emc Unity Operating Environment, Vnx5200, Vnx5400 and 7 more | 2022-04-14 | 6.4 MEDIUM | 9.1 CRITICAL |
| Dell VNX2 for File version 8.1.21.266 and earlier, contain a path traversal vulnerability which may lead unauthenticated users to read/write restricted files | |||||
| CVE-2022-26675 | 1 Aenrich | 1 A\+hrd | 2022-04-14 | 5.0 MEDIUM | 7.5 HIGH |
| aEnrich a+HRD has inadequate filtering for special characters in URLs. An unauthenticated remote attacker can bypass authentication and perform path traversal attacks to access arbitrary files under website root directory. | |||||