Total
6174 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27639 | 1 Tshirtecommerce | 1 Custom Product Designer | 2023-06-09 | N/A | 7.5 HIGH |
| An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter file_name in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). Only files that can be parsed in XML can be opened. This is exploited in the wild in March 2023. | |||||
| CVE-2020-36566 | 1 Tar-utils Project | 1 Tar-utils | 2023-06-08 | N/A | 9.1 CRITICAL |
| Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | |||||
| CVE-2020-36561 | 1 Unzip Project | 1 Unzip | 2023-06-08 | N/A | 9.1 CRITICAL |
| Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | |||||
| CVE-2020-36560 | 1 Go-unzip Project | 1 Go-unzip | 2023-06-08 | N/A | 9.1 CRITICAL |
| Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | |||||
| CVE-2020-36559 | 1 Aahframework | 1 Aah | 2023-06-08 | N/A | 7.5 HIGH |
| Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read. | |||||
| CVE-2018-25046 | 1 Cloudfoundry | 1 Archiver | 2023-06-08 | N/A | 9.1 CRITICAL |
| Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. | |||||
| CVE-2023-29736 | 1 Timmystudios | 1 Keyboard Themes | 2023-06-08 | N/A | 9.8 CRITICAL |
| Keyboard Themes 1.275.1.164 for Android contains a dictionary traversal vulnerability that allows unauthorized apps to overwrite arbitrary files in its internal storage and achieve arbitrary code execution. | |||||
| CVE-2023-33544 | 1 Hawt | 1 Hawtio | 2023-06-08 | N/A | 5.5 MEDIUM |
| hawtio 2.17.2 is vulnerable to Path Traversal. it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite. | |||||
| CVE-2023-29159 | 1 Encode | 1 Starlette | 2023-06-08 | N/A | 7.5 HIGH |
| Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette. | |||||
| CVE-2022-47526 | 1 Fox-it | 2 Fox Datadiode, Fox Datadiode Firmware | 2023-06-07 | N/A | 9.8 CRITICAL |
| Fox-IT DataDiode (aka Fox DataDiode) 3.4.3 suffers from a path traversal vulnerability with resultant arbitrary writing of files. A remote attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the downstream node user. Exploitation of this issue does not require user interaction. | |||||
| CVE-2023-2909 | 1 Asustor | 1 Adm | 2023-06-07 | N/A | 10.0 CRITICAL |
| EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below. | |||||
| CVE-2023-30197 | 1 Webbax | 1 Myinventory | 2023-06-07 | N/A | 7.5 HIGH |
| Incorrect Access Control in the module "My inventory" (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack. | |||||
| CVE-2023-33177 | 1 Xibosignage | 1 Xibo | 2023-06-06 | N/A | 8.8 HIGH |
| Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. | |||||
| CVE-2023-30196 | 1 Webbax | 1 Salesbooster | 2023-06-05 | N/A | 7.5 HIGH |
| Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php. | |||||
| CVE-2021-27825 | 1 Mercurycom | 2 Mac1200r, Mac1200r Firmware | 2023-06-05 | N/A | 7.5 HIGH |
| A directory traversal vulnerability on Mercury MAC1200R devices allows attackers to read arbitrary files via a web-static/ URL. | |||||
| CVE-2022-36243 | 1 Shopbeat | 1 Shop Beat Media Player | 2023-06-02 | N/A | 5.3 MEDIUM |
| Shop Beat Solutions (pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Directory Traversal via server.shopbeat.co.za. Information Exposure Through Directory Listing vulnerability in "studio" software of Shop Beat. This issue affects: Shop Beat studio studio versions prior to 3.2.57 on arm. | |||||
| CVE-2023-29380 | 1 Linuxmint | 1 Warpinator | 2023-06-02 | N/A | 7.5 HIGH |
| Warpinator before 1.6.0 allows remote file deletion via directory traversal in top_dir_basenames. | |||||
| CVE-2022-24632 | 1 Audiocodes | 1 Device Manager Express | 2023-06-02 | N/A | 5.3 MEDIUM |
| An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is directory traversal during file download via the BrowseFiles.php view parameter. | |||||
| CVE-2022-24629 | 1 Audiocodes | 1 Device Manager Express | 2023-06-02 | N/A | 9.8 CRITICAL |
| An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir parameter of the file upload functionality of BrowseFiles.php. An attacker can upload a .php file to WebAdmin/admin/AudioCodes_files/ajax/. | |||||
| CVE-2023-27311 | 1 Netapp | 1 Blue Xp Connector | 2023-06-02 | N/A | 5.3 MEDIUM |
| NetApp Blue XP Connector versions prior to 3.9.25 expose information via a directory listing. A new Connector architecture resolves this issue - obtaining the fix requires redeploying a fresh Connector. | |||||