Total
6174 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1818 | 1 Cisco | 2 Evolved Programmable Network Manager, Prime Infrastructure | 2023-03-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager software could allow an authenticated, remote attacker to download and view files within the application that should be restricted. This vulnerability is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. A successful exploit could allow the attacker to view application files that may contain sensitive information. | |||||
| CVE-2018-3822 | 1 Elastic | 1 X-pack | 2023-03-24 | 7.5 HIGH | 9.8 CRITICAL |
| X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw. | |||||
| CVE-2023-27981 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2023-03-24 | N/A | 8.8 HIGH |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists in Custom Reports that could cause a remote code execution when a victim tries to open a malicious report. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | |||||
| CVE-2019-16278 | 1 Nazgul | 1 Nostromo Nhttpd | 2023-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request. | |||||
| CVE-2023-28105 | 1 Go-huge-util Project | 1 Go-huge-util | 2023-03-23 | N/A | 8.8 HIGH |
| go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds. | |||||
| CVE-2023-21456 | 1 Samsung | 1 Android | 2023-03-23 | N/A | 5.5 MEDIUM |
| Path traversal vulnerability in Galaxy Themes Service prior to SMR Mar-2023 Release 1 allows attacker to access arbitrary file with system uid. | |||||
| CVE-2023-25803 | 1 Roxy-wi | 1 Roxy-wi | 2023-03-22 | N/A | 7.5 HIGH |
| Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a directory traversal vulnerability that allows the inclusion of server-side files. This issue is fixed in version 6.3.5.0. | |||||
| CVE-2023-25802 | 1 Roxy-wi | 1 Roxy-wi | 2023-03-22 | N/A | 7.5 HIGH |
| Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue. | |||||
| CVE-2012-4701 | 1 Tridium | 1 Niagara Ax | 2023-03-22 | 9.3 HIGH | N/A |
| Directory traversal vulnerability in Tridium Niagara AX 3.5, 3.6, and 3.7 allows remote attackers to read sensitive files, and consequently execute arbitrary code, by leveraging (1) valid credentials or (2) the guest feature. | |||||
| CVE-2012-4027 | 1 Tridium | 1 Niagara Ax | 2023-03-22 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in Tridium Niagara AX Framework allows remote attackers to read files outside of the intended images, nav, and px folders by leveraging incorrect permissions, as demonstrated by reading the config.bog file. | |||||
| CVE-2022-41418 | 1 Blogengine | 1 Blogengine.net | 2023-03-22 | N/A | 7.2 HIGH |
| An issue in the component BlogEngine/BlogEngine.NET/AppCode/Api/UploadController.cs of BlogEngine.NET v3.3.8.0 allows attackers to execute arbitrary code via uploading a crafted PNG file. | |||||
| CVE-2023-27588 | 1 Hasura | 1 Graphql Engine | 2023-03-21 | N/A | 7.5 HIGH |
| Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch. | |||||
| CVE-2023-25804 | 1 Roxy-wi | 1 Roxy-wi | 2023-03-19 | N/A | 5.3 MEDIUM |
| Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a limited path traversal vulnerability. An SSH key can be saved into an unintended location, for example the `/tmp` folder using a payload `../../../../../tmp/test111_dev`. This issue has been fixed in version 6.3.5.0. | |||||
| CVE-2023-25345 | 2 Swig-templates Project, Swig Project | 2 Swig-templates, Swig | 2023-03-18 | N/A | 7.5 HIGH |
| Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or extends tags. | |||||
| CVE-2023-25814 | 1 Metersphere | 1 Metersphere | 2023-03-15 | N/A | 6.5 MEDIUM |
| metersphere is an open source continuous testing platform. In versions prior to 2.7.1 a user who has permission to create a resource file through UI operations is able to append a path to their submission query which will be read by the system and displayed to the user. This allows a users of the system to read arbitrary files on the filesystem of the server so long as the server process itself has permission to read the requested files. This issue has been addressed in version 2.7.1. All users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2021-33353 | 1 Wyomind | 1 Help Desk | 2023-03-14 | N/A | 9.8 CRITICAL |
| Directory Traversal vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via the file attachment directory setting. | |||||
| CVE-2022-48362 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-03-14 | N/A | 8.8 HIGH |
| Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.) | |||||
| CVE-2023-22336 | 1 Dos-osaka | 2 Rakuraku Pc Cloud Agent, Ss1 | 2023-03-13 | N/A | 9.8 CRITICAL |
| Path traversal vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to upload a specially crafted file to an arbitrary directory. As a result of exploiting this vulnerability with CVE-2023-22335 and CVE-2023-22344 vulnerabilities together, it may allow a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device. | |||||
| CVE-2023-26256 | 1 Stagil | 1 Stagil Navigation | 2023-03-07 | N/A | 7.5 HIGH |
| An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system. | |||||
| CVE-2023-26255 | 1 Stagil | 1 Stagil Navigation | 2023-03-07 | N/A | 7.5 HIGH |
| An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system. | |||||