Total
5025 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12265 | 1 Decompress Project | 1 Decompress | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. | |||||
| CVE-2020-35370 | 1 Raysync | 1 Raysync | 2021-07-21 | 9.3 HIGH | 8.8 HIGH |
| A RCE vulnerability exists in Raysync below 3.3.3.8. An unauthenticated unauthorized attacker sending a specifically crafted request to override the specific file in server with malicious content can login as "admin", then to modify specific shell file to achieve remote code execution(RCE) on the hosting server. | |||||
| CVE-2020-15929 | 1 Ortussolutions | 1 Testbox | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters passed to system/runners/HTMLRunner.cfm allow an attacker to write an arbitrary CFM file (within the application's context) containing attacker-defined CFML tags, leading to Remote Code Execution. | |||||
| CVE-2020-13347 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 9.0 HIGH | 9.1 CRITICAL |
| A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable. | |||||
| CVE-2020-9354 | 1 Smartclient | 1 Smartclient | 2021-07-21 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal. | |||||
| CVE-2020-9323 | 1 Aquaforest | 1 Tiff Server | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory Enumeration via tiffserver/tssp.aspx. | |||||
| CVE-2020-12851 | 1 Pydio | 1 Cells | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| Pydio Cells 2.0.4 allows an authenticated user to write or overwrite existing files in another user’s personal and cells folders (repositories) by uploading a custom generated ZIP file and leveraging the file extraction feature present in the web application. The extracted files will be placed in the targeted user folders. | |||||
| CVE-2019-19141 | 1 Plex | 1 Media Server | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user account running the Plex Media Server has permissions. This allows remote code execution via a variety of methods, such as (on a default Ubuntu installation) creating a .ssh folder in the plex user's home directory via directory traversal, uploading an SSH authorized_keys file there, and logging into the host as the Plex user via SSH. | |||||
| CVE-2020-0179 | 1 Google | 1 Android | 2021-07-21 | 6.8 MEDIUM | 7.8 HIGH |
| In doSendObjectInfo of MtpServer.cpp, there is a possible path traversal attack due to insufficient input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is required for exploitation.Product: AndroidVersions: Android-10Android ID: A-130656917 | |||||
| CVE-2020-7648 | 1 Synk | 1 Broker | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json` | |||||
| CVE-2020-7650 | 1 Synk | 1 Broker | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json. | |||||
| CVE-2019-9157 | 1 Gemalto | 1 Ezio Ds3 Server | 2021-07-21 | 2.7 LOW | 5.7 MEDIUM |
| Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclosure. | |||||
| CVE-2020-7651 | 1 Synk | 1 Broker | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API. | |||||
| CVE-2020-11819 | 1 Rukovoditel | 1 Rukovoditel | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Rukovoditel 2.5.2, an attacker may inject an arbitrary .php file location instead of a language file and thus achieve command execution. | |||||
| CVE-2019-11378 | 1 Projectsend | 1 Projectsend | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code. | |||||
| CVE-2019-1020001 | 1 Yardoc | 1 Yard | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| yard before 0.9.20 allows path traversal. | |||||
| CVE-2020-6828 | 2 Google, Mozilla | 2 Android, Firefox Esr | 2021-07-21 | 6.4 MEDIUM | 7.5 HIGH |
| A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference values. Control of arbitrary preferences can lead to sufficient compromise such that it is generally equivalent to arbitrary code execution.<br> *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.7. | |||||
| CVE-2020-11439 | 1 Librehealth | 1 Librehealth Ehr | 2021-07-21 | 9.0 HIGH | 8.8 HIGH |
| LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed within the EMR application. | |||||
| CVE-2019-19264 | 1 Simplifile | 1 Recordfusion | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Simplifile RecordFusion through 2019-11-25, the logs and hist parameters allow remote attackers to access local files via a logger/logs?/../ or logger/hist?/../ URI. | |||||
| CVE-2020-29166 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by file read/manipulation, which can result in remote information disclosure. | |||||