Total
8266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-48483 | 1 3cx | 1 3cx | 2025-01-30 | N/A | 7.5 HIGH |
|
3CX before 18 Hotfix 1 build 18.0.3.461 on Windows allows unauthenticated remote attackers to read %WINDIR%\system32 files via /Electron/download directory traversal in conjunction with a path component that has a drive letter and uses backslash characters. NOTE: this issue exists because of an incomplete fix for CVE-2022-28005.
|
|||||
| CVE-2022-48482 | 2 3cx, Microsoft | 2 3cx, Windows | 2025-01-30 | N/A | 7.5 HIGH |
|
3CX before 18 Update 2 Security Hotfix build 18.0.2.315 on Windows allows unauthenticated remote attackers to read certain files via /Electron/download directory traversal. Files may have credentials, full backups, call recordings, and chat logs.
|
|||||
| CVE-2022-47875 | 1 Jedox | 2 Cloud, Jedox | 2025-01-30 | N/A | 8.8 HIGH |
|
A Directory Traversal vulnerability in /be/erpc.php in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to execute arbitrary code.
|
|||||
| CVE-2024-34033 | 1 Deltaww | 1 Diaenergie | 2025-01-30 | N/A | 8.8 HIGH |
|
Delta Electronics DIAEnergie has insufficient input validation which makes it possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.
|
|||||
| CVE-2024-40422 | 1 Stitionai | 1 Devika | 2025-01-29 | N/A | 9.1 CRITICAL |
|
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
|
|||||
| CVE-2024-24934 | 1 Elementor | 1 Website Builder | 2025-01-29 | N/A | 8.5 HIGH |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Manipulating Web Input to File System Calls.This issue affects Elementor Website Builder: from n/a through 3.19.0.
|
|||||
| CVE-2023-25289 | 1 Virtualreception | 1 Digital Reciptie | 2025-01-29 | N/A | 7.5 HIGH |
|
Directory Traversal vulnerability in virtualreception Digital Receptie version win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 in embedded web server, allows attacker to gain sensitive information via a crafted GET request.
|
|||||
| CVE-2023-30268 | 2 Cltphp, Microsoft | 2 Cltphp, Windows | 2025-01-29 | N/A | 9.8 CRITICAL |
|
CLTPHP <=6.0 is vulnerable to Improper Input Validation.
|
|||||
| CVE-2023-32235 | 1 Ghost | 1 Ghost | 2025-01-29 | N/A | 7.5 HIGH |
|
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.
|
|||||
| CVE-2023-47178 | 1 Posimyth | 1 The Plus Addons For Elementor | 2025-01-29 | N/A | 8.6 HIGH |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows PHP Local File Inclusion.This issue affects The Plus Addons for Elementor Pro: from n/a through 5.2.8.
|
|||||
| CVE-2023-28127 | 1 Ivanti | 1 Avalanche | 2025-01-28 | N/A | 7.5 HIGH |
|
A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.
|
|||||
| CVE-2023-41780 | 1 Zte | 1 Zxcloud Irai | 2025-01-28 | N/A | 6.4 MEDIUM |
|
There is an unsafe DLL loading vulnerability in ZTE ZXCLOUD iRAI. Due to the program failed to adequately validate the user's input, an attacker could exploit this vulnerability to escalate local privileges.
|
|||||
| CVE-2023-27562 | 1 N8n | 1 N8n | 2025-01-27 | N/A | 6.5 MEDIUM |
|
The n8n package 0.218.0 for Node.js allows Directory Traversal.
|
|||||
| CVE-2023-26126 | 1 M.static Project | 1 M.static | 2025-01-27 | N/A | 7.5 HIGH |
|
All versions of the package m.static are vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the requestFile function.
|
|||||
| CVE-2023-31477 | 1 Gl-inet | 64 Gl-a1300, Gl-a1300 Firmware, Gl-ap1300 and 61 more | 2025-01-27 | N/A | 7.5 HIGH |
|
A path traversal issue was discovered on GL.iNet devices before 3.216. Through the file sharing feature, it is possible to share an arbitrary directory, such as /tmp or /etc, because there is no server-side restriction to limit sharing to the USB path.
|
|||||
| CVE-2023-30172 | 1 Lfprojects | 1 Mlflow | 2025-01-27 | N/A | 7.5 HIGH |
|
A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter.
|
|||||
| CVE-2023-29986 | 1 Spring-boot-actuator-logview Project | 1 Spring-boot-actuator-logview | 2025-01-27 | N/A | 5.3 MEDIUM |
|
spring-boot-actuator-logview 0.2.13 allows Directory Traversal to sibling directories via LogViewEndpoint.view.
|
|||||
| CVE-2023-23169 | 1 Synapsoft | 1 Pdfocus | 2025-01-27 | N/A | 6.5 MEDIUM |
|
Synapsoft pdfocus 1.17 is vulnerable to local file inclusion and server-side request forgery Directory Traversal.
|
|||||
| CVE-2025-0542 | 2025-01-25 | N/A | 7.8 HIGH | ||
|
Local privilege escalation due to incorrect assignment of privileges of temporary files in the update mechanism of G DATA Management Server. This vulnerability allows a local, unprivileged attacker to escalate privileges on affected installations by placing a crafted ZIP archive in a globally writable directory, which gets unpacked in the context of SYSTEM and results in arbitrary file write.
|
|||||
| CVE-2024-12885 | 2025-01-25 | N/A | 6.5 MEDIUM | ||
|
The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versions up to, and including, 10.4.66. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server and all their content.
|
|||||
| CVE-2025-24611 | 2025-01-24 | N/A | 4.9 MEDIUM | ||
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Smackcoders WP Ultimate Exporter allows Absolute Path Traversal. This issue affects WP Ultimate Exporter: from n/a through 2.9.
|
|||||
| CVE-2024-3848 | 1 Lfprojects | 1 Mlflow | 2025-01-24 | N/A | 7.5 HIGH |
|
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '#' character can be used to insert a path into the fragment, effectively skipping validation. This allows an attacker to construct a URL that, when processed, ignores the protocol scheme and uses the provided path for filesystem access. As a result, an attacker can read arbitra ...
Show More |
|||||
| CVE-2020-13377 | 1 Loadbalancer | 1 Enterprise Va Max | 2025-01-24 | N/A | 8.1 HIGH |
|
The web-services interface of Loadbalancer.org Enterprise VA MAX through 8.3.8 could allow an authenticated, remote, low-privileged attacker to conduct directory traversal attacks and obtain read and write access to sensitive files.
|
|||||
| CVE-2024-7634 | 1 F5 | 2 Nginx Agent, Nginx Instance Manager | 2025-01-24 | N/A | 4.9 MEDIUM |
|
NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory.
|
|||||
| CVE-2024-2552 | 1 Paloaltonetworks | 1 Pan-os | 2025-01-24 | N/A | 6.0 MEDIUM |
|
A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions in the management plane and delete files on the firewall.
|
|||||
| CVE-2024-23607 | 1 F5 | 2 F5os-a, F5os-c | 2025-01-24 | N/A | 5.5 MEDIUM |
|
A directory traversal vulnerability exists in the F5OS QKView utility that allows an authenticated attacker to read files outside the QKView directory. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
|
|||||
| CVE-2025-23422 | 2025-01-24 | N/A | 7.5 HIGH | ||
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Store Locator allows PHP Local File Inclusion. This issue affects Store Locator: from n/a through 3.98.10.
|
|||||
| CVE-2024-54535 | 1 Apple | 4 Ipados, Iphone Os, Visionos and 1 more | 2025-01-23 | N/A | 4.3 MEDIUM |
|
A path handling issue was addressed with improved logic. This issue is fixed in watchOS 11.1, visionOS 2.1, iOS 18.1 and iPadOS 18.1. An attacker with access to calendar data could also read reminders.
|
|||||
| CVE-2024-27102 | 1 Pterodactyl | 1 Wings | 2025-01-23 | N/A | 9.9 CRITICAL |
|
Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vul ...
Show More |
|||||
| CVE-2023-32985 | 1 Jenkins | 1 Sidebar Link | 2025-01-23 | N/A | 4.3 MEDIUM |
|
Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
|
|||||
| CVE-2024-26261 | 1 Hgiga | 4 Oaklouds-organization-2.0, Oaklouds-organization-3.0, Oaklouds-webbase-2.0 and 1 more | 2025-01-23 | N/A | 9.8 CRITICAL |
|
The functionality for file download in HGiga OAKlouds' certain modules contains an Arbitrary File Read and Delete vulnerability. Attackers can put file path in specific request parameters, allowing them to download the file without login. Furthermore, the file will be deleted after being downloaded.
|
|||||
| CVE-2024-0818 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-01-23 | N/A | 9.1 CRITICAL |
|
Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6
|
|||||
| CVE-2024-25156 | 1 Fortra | 1 Goanywhere Managed File Transfer | 2025-01-23 | N/A | 6.5 MEDIUM |
|
A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients.
|
|||||
| CVE-2024-42187 | 2025-01-23 | N/A | 5.3 MEDIUM | ||
|
BigFix Patch Download Plug-ins are affected by path traversal vulnerability. The application could allow operators to download files from a local repository which is vulnerable to path traversal attacks.
|
|||||
| CVE-2024-38768 | 1 Webangon | 1 The Pack Elementor Addons | 2025-01-22 | N/A | 4.3 MEDIUM |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Webangon The Pack Elementor addons allows PHP Local File Inclusion, Path Traversal.This issue affects The Pack Elementor addons: from n/a through 2.0.8.6.
|
|||||
| CVE-2023-30509 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-01-22 | N/A | 4.9 MEDIUM |
|
Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files.
|
|||||
| CVE-2023-30508 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-01-22 | N/A | 4.9 MEDIUM |
|
Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files.
|
|||||
| CVE-2024-50453 | 1 Webangon | 1 The Pack Elementor Addons | 2025-01-22 | N/A | 7.5 HIGH |
|
Relative Path Traversal vulnerability in Webangon The Pack Elementor addons allows PHP Local File Inclusion.This issue affects The Pack Elementor addons: from n/a through 2.0.9.
|
|||||
| CVE-2024-1974 | 1 Hasthemes | 1 Ht Mega | 2025-01-22 | N/A | 8.8 HIGH |
|
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.6 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to read the contents of arbitrary files on the server, which can contain sensitive information.
|
|||||
| CVE-2023-32767 | 1 Symcon | 1 Ip Symcon | 2025-01-22 | N/A | 7.5 HIGH |
|
The web interface of Symcon IP-Symcon before 6.3 (i.e., before 2023-05-12) allows a remote attacker to read sensitive files via .. directory-traversal sequences in the URL.
|
|||||