Total
6174 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-32328 | 1 Fast Food Ordering System Project | 1 Fast Food Ordering System | 2023-08-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| Fast Food Ordering System v1.0 is vulnerable to Delete any file. via /ffos/classes/Master.php?f=delete_img. | |||||
| CVE-2022-29081 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring. | |||||
| CVE-2022-30321 | 1 Hashicorp | 1 Go-getter | 2023-08-08 | 7.5 HIGH | 8.6 HIGH |
| go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0. | |||||
| CVE-2022-46900 | 1 Vocera | 2 Report Server, Voice Server | 2023-08-08 | N/A | 6.5 MEDIUM |
| An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Path Traversal in the Task Exec filename. The Vocera Report Console contains various jobs that are executed on the server at specified intervals, e.g., backup, etc. An authenticated user has the ability to modify these entries and set the executable path and parameters. | |||||
| CVE-2023-38956 | 1 Zkteco | 1 Bioaccess Ivs | 2023-08-07 | N/A | 7.5 HIGH |
| A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | |||||
| CVE-2023-33369 | 1 Assaabloy | 1 Control Id Idsecure | 2023-08-07 | N/A | 9.1 CRITICAL |
| A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service. | |||||
| CVE-2023-3385 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html). | |||||
| CVE-2022-46902 | 1 Vocera | 2 Report Server, Voice Server | 2023-08-04 | N/A | 7.5 HIGH |
| An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is a Path Traversal for an Unzip operation. The Vocera Report Console contains a websocket function that allows for the restoration of the database from a ZIP archive that expects a SQL import file. During the unzip operation, the code takes file paths from the ZIP archive and writes them to a Vocera temporary directory. Unfortunately, the code does not properly check if the file paths include directory traversal payloads that would escape the intended destination. | |||||
| CVE-2023-35016 | 1 Ibm | 1 Security Verify Governance | 2023-08-04 | N/A | 6.5 MEDIUM |
| IBM Security Verify Governance, Identity Manager 10.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 257772. | |||||
| CVE-2022-42182 | 1 Precisely | 1 Spectrum Spatial Analyst | 2023-08-04 | N/A | 5.3 MEDIUM |
| Precisely Spectrum Spatial Analyst 20.01 is vulnerable to Directory Traversal. | |||||
| CVE-2023-37218 | 1 Tadirantele | 1 Aeonix | 2023-08-04 | N/A | 7.5 HIGH |
| Tadiran Telecom Aeonix - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |||||
| CVE-2023-23838 | 2 Microsoft, Solarwinds | 2 Windows, Database Performance Analyzer | 2023-08-03 | N/A | 6.5 MEDIUM |
| Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server. | |||||
| CVE-2022-47506 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | N/A | 7.8 HIGH |
| SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands. | |||||
| CVE-2021-35250 | 1 Solarwinds | 1 Serv-u | 2023-08-03 | 5.0 MEDIUM | 7.5 HIGH |
| A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1. | |||||
| CVE-2005-0372 | 1 Gnome | 1 Gtk | 2023-08-03 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. | |||||
| CVE-2023-37460 | 1 Codehaus-plexus | 1 Plexus-archiver | 2023-08-03 | N/A | 9.8 CRITICAL |
| Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue. | |||||
| CVE-2008-0615 | 1 Dmsguestbook Project | 1 Dmsguestbook | 2023-08-02 | 4.0 MEDIUM | N/A |
| Directory traversal vulnerability in wp-admin/admin.php in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allows remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) folder and (2) file parameters. | |||||
| CVE-2018-1002200 | 3 Codehaus-plexus, Debian, Redhat | 5 Plexus-archiver, Debian Linux, Enterprise Linux and 2 more | 2023-08-02 | 4.3 MEDIUM | 5.5 MEDIUM |
| plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | |||||
| CVE-2008-1145 | 2 Fedoraproject, Ruby-lang | 3 Fedora, Ruby, Webrick | 2023-08-01 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. | |||||
| CVE-2022-46898 | 1 Vocera | 2 Report Server, Voice Server | 2023-08-01 | N/A | 9.8 CRITICAL |
| An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Path Traversal via the "restore SQL data" filename. The Vocera Report Console contains a websocket function that allows for the restoration of the database from a ZIP archive that expects a SQL import file. The filename provided is not properly sanitized and allows for the inclusion of a path-traversal payload that can be used to escape the intended Vocera restoration directory. An attacker could exploit this vulnerability to point to a crafted ZIP archive that contains SQL commands that could be executed against the database. | |||||