Total
193 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-3926 | 2 Changingtec, Microsoft | 2 Servisign, Windows | 2022-05-24 | 7.8 HIGH | 7.5 HIGH |
| An arbitrary-file-access vulnerability exists in ServiSign security plugin, as long as the attackers learn the specific API function, they may access arbitrary files on target system via crafted API parameter. | |||||
| CVE-2022-29302 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2022-05-20 | 2.1 LOW | 5.5 MEDIUM |
| SolarView Compact ver.6.00 was discovered to contain a local file disclosure via /html/Solar_Ftp.php. | |||||
| CVE-2022-28462 | 1 Novel-plus Project | 1 Novel-plus | 2022-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| novel-plus 3.6.0 suffers from an Arbitrary file reading vulnerability. | |||||
| CVE-2022-0656 | 1 Webtoprint | 1 Web To Print Shop\ | 2022-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc) | |||||
| CVE-2022-28445 | 1 Kitesky | 1 Kitecms | 2022-05-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| KiteCMS v1.1.1 was discovered to contain an arbitrary file read vulnerability via the background management module. | |||||
| CVE-2020-11976 | 1 Apache | 2 Fortress, Wicket | 2022-04-26 | 5.0 MEDIUM | 7.5 HIGH |
| By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5 | |||||
| CVE-2022-26877 | 1 Asana | 1 Desktop | 2022-04-14 | 4.3 MEDIUM | 6.5 MEDIUM |
| Asana Desktop before 1.6.0 allows remote attackers to exfiltrate local files if they can trick the Asana desktop app into loading a malicious web page. | |||||
| CVE-2022-28002 | 1 Movie Seat Reservation Project | 1 Movie Seat Reservation | 2022-04-14 | 5.0 MEDIUM | 7.5 HIGH |
| Movie Seat Reservation v1 was discovered to contain an unauthenticated file disclosure vulnerability via /index.php?page=home. | |||||
| CVE-2021-31850 | 2 Mcafee, Microsoft | 2 Database Security, Windows | 2022-04-06 | 4.9 MEDIUM | 6.1 MEDIUM |
| A denial-of-service vulnerability in Database Security (DBS) prior to 4.8.4 allows a remote authenticated administrator to trigger a denial-of-service attack against the DBS server. The configuration of Archiving through the User interface incorrectly allowed the creation of directories and files in Windows system directories and other locations where sensitive data could be overwritten. The former could lead to a DoS, whilst the latter could lead to data destruction on the DBS server. | |||||
| CVE-2019-13140 | 1 Intenogroup | 2 Eg200, Eg200 Firmware | 2022-03-31 | 4.0 MEDIUM | 6.5 MEDIUM |
| Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP. | |||||
| CVE-2022-26271 | 1 74cms | 1 74cms | 2022-03-31 | 5.0 MEDIUM | 7.5 HIGH |
| 74cmsSE v3.4.1 was discovered to contain an arbitrary file read vulnerability via the $url parameter at \index\controller\Download.php. | |||||
| CVE-2022-24075 | 1 Navercorp | 1 Whale | 2022-03-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| Whale browser before 3.12.129.18 allowed extensions to replace JavaScript files of the HWP viewer website which could access to local HWP files. When the HWP files were opened, the replaced script could read the files. | |||||
| CVE-2022-25497 | 1 Cuppacms | 1 Cuppacms | 2022-03-23 | 5.0 MEDIUM | 5.3 MEDIUM |
| CuppaCMS v1.0 was discovered to contain an arbitrary file read via the copy function. | |||||
| CVE-2022-27193 | 1 Cvrf-csaf-converter Project | 1 Cvrf-csaf-converter | 2022-03-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| CVRF-CSAF-Converter before 1.0.0-rc2 resolves XML External Entities (XXE). This leads to the inclusion of arbitrary (local) file content into the generated output document. An attacker can exploit this to disclose information from the system running the converter. | |||||
| CVE-2022-23377 | 1 Keep | 1 Archeevo | 2022-03-08 | 5.0 MEDIUM | 7.5 HIGH |
| Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files. | |||||
| CVE-2022-25104 | 1 Horizontcms Project | 1 Horizontcms | 2022-03-03 | 5.0 MEDIUM | 7.5 HIGH |
| HorizontCMS v1.0.0-beta.2 was discovered to contain an arbitrary file download vulnerability via the component /admin/file-manager/. | |||||
| CVE-2022-25297 | 1 Drogon | 1 Drogon | 2022-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| This affects the package drogonframework/drogon before 1.7.5. The unsafe handling of file names during upload using HttpFile::save() method may enable attackers to write files to arbitrary locations outside the designated target folder. | |||||
| CVE-2022-25299 | 1 Cesanta | 1 Mongoose | 2022-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder. | |||||
| CVE-2022-24694 | 1 Mahara | 1 Mahara | 2022-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the Files area can be seen by a person not owning the folders. (Only folder names are affected. Neither file names nor file contents are affected.) | |||||
| CVE-2021-25004 | 1 Seur Oficial Project | 1 Seur Oficial | 2022-02-11 | 4.0 MEDIUM | 4.9 MEDIUM |
| The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page. | |||||