Total
8266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-27617 | 1 Synology | 2 Calendar, Diskstation Manager | 2025-01-14 | N/A | 5.0 MEDIUM |
|
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology Calendar before 2.3.4-0631 allows remote authenticated users to download arbitrary files via unspecified vectors.
|
|||||
| CVE-2021-33182 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.0 MEDIUM | 5.0 MEDIUM |
|
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in PDF Viewer component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to read limited files via unspecified vectors.
|
|||||
| CVE-2021-29088 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 4.6 MEDIUM | 7.8 HIGH |
|
Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
|
|||||
| CVE-2022-27620 | 1 Synology | 2 Diskstation Manager, Sso Server | 2025-01-14 | N/A | 6.8 MEDIUM |
|
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology SSO Server before 2.2.3-0331 allows remote authenticated users to read arbitrary files via unspecified vectors.
|
|||||
| CVE-2021-29087 | 1 Synology | 2 Diskstation Manager, Diskstation Manager Unified Controller | 2025-01-14 | 5.0 MEDIUM | 7.5 HIGH |
|
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to write arbitrary files via unspecified vectors.
|
|||||
| CVE-2022-24629 | 1 Audiocodes | 1 Device Manager Express | 2025-01-14 | N/A | 9.8 CRITICAL |
|
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir parameter of the file upload functionality of BrowseFiles.php. An attacker can upload a .php file to WebAdmin/admin/AudioCodes_files/ajax/.
|
|||||
| CVE-2021-27825 | 1 Mercurycom | 2 Mac1200r, Mac1200r Firmware | 2025-01-14 | N/A | 7.5 HIGH |
|
A directory traversal vulnerability on Mercury MAC1200R devices allows attackers to read arbitrary files via a web-static/ URL.
|
|||||
| CVE-2023-28344 | 2 Faronics, Microsoft | 2 Insight, Windows | 2025-01-14 | N/A | 7.1 HIGH |
|
An issue was discovered in Faronics Insight 10.0.19045 on Windows. The Insight Teacher Console application allows unauthenticated attackers to view constantly updated screenshots of student desktops and to submit falsified screenshots on behalf of students. Attackers are able to view screenshots of student desktops without their consent. These screenshots may potentially contain sensitive/personal data. Attackers can also rapidly submit falsified images, hiding the actual contents of student des ...
Show More |
|||||
| CVE-2022-47526 | 1 Fox-it | 2 Fox Datadiode, Fox Datadiode Firmware | 2025-01-14 | N/A | 9.8 CRITICAL |
|
Fox-IT DataDiode (aka Fox DataDiode) 3.4.3 suffers from a path traversal vulnerability with resultant arbitrary writing of files. A remote attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the downstream node user. Exploitation of this issue does not require user interaction.
|
|||||
| CVE-2024-12083 | 2025-01-14 | N/A | 6.6 MEDIUM | ||
|
Path Traversal Vulnerabilities (CWE-22) exist in NJ/NX-series Machine Automation Controllers. An attacker may use these vulnerabilities to perform unauthorized access and to execute unauthorized code remotely to the controller products.
|
|||||
| CVE-2023-29380 | 1 Linuxmint | 1 Warpinator | 2025-01-13 | N/A | 7.5 HIGH |
|
Warpinator before 1.6.0 allows remote file deletion via directory traversal in top_dir_basenames.
|
|||||
| CVE-2022-36243 | 1 Shopbeat | 1 Shop Beat Media Player | 2025-01-13 | N/A | 5.3 MEDIUM |
|
Shop Beat Solutions (pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Directory Traversal via server.shopbeat.co.za. Information Exposure Through Directory Listing vulnerability in "studio" software of Shop Beat. This issue affects: Shop Beat studio studio versions prior to 3.2.57 on arm.
|
|||||
| CVE-2023-30196 | 1 Webbax | 1 Salesbooster | 2025-01-13 | N/A | 7.5 HIGH |
|
Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php.
|
|||||
| CVE-2023-52953 | 1 Huawei | 2 Emui, Harmonyos | 2025-01-13 | N/A | 6.2 MEDIUM |
|
Path traversal vulnerability in the Medialibrary module
Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
|
|||||
| CVE-2025-22152 | 2025-01-10 | N/A | 9.1 CRITICAL | ||
|
Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These vulnerabilities can be exploited through various attack vectors present in multiple PHP files. This vulnerability is fixed in v600.
|
|||||
| CVE-2024-38819 | 2025-01-10 | N/A | 7.5 HIGH | ||
|
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
|
|||||
| CVE-2024-10005 | 1 Hashicorp | 1 Consul | 2025-01-10 | N/A | 8.1 HIGH |
|
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.
|
|||||
| CVE-2023-30197 | 1 Webbax | 1 Myinventory | 2025-01-09 | N/A | 7.5 HIGH |
|
Incorrect Access Control in the module "My inventory" (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack.
|
|||||
| CVE-2023-29159 | 1 Encode | 1 Starlette | 2025-01-09 | N/A | 7.5 HIGH |
|
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
|
|||||
| CVE-2023-27639 | 1 Tshirtecommerce | 1 Custom Product Designer | 2025-01-09 | N/A | 7.5 HIGH |
|
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter file_name in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). Only files that can be parsed in XML can be opened. This is exploited in the wild in March 2023.
|
|||||
| CVE-2023-25750 | 1 Mozilla | 1 Firefox | 2025-01-09 | N/A | 4.3 MEDIUM |
|
Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode. This vulnerability affects Firefox < 111.
|
|||||
| CVE-2024-9575 | 2025-01-09 | N/A | N/A | ||
|
Local File Inclusion vulnerability in pretix Widget WordPress plugin pretix-widget on Windows allows PHP Local File Inclusion. This issue affects pretix Widget WordPress plugin: from 1.0.0 through 1.0.5.
|
|||||
| CVE-2023-29736 | 1 Timmystudios | 1 Keyboard Themes | 2025-01-09 | N/A | 9.8 CRITICAL |
|
Keyboard Themes 1.275.1.164 for Android contains a dictionary traversal vulnerability that allows unauthorized apps to overwrite arbitrary files in its internal storage and achieve arbitrary code execution.
|
|||||
| CVE-2023-33544 | 1 Hawt | 1 Hawtio | 2025-01-09 | N/A | 5.5 MEDIUM |
|
hawtio 2.17.2 is vulnerable to Path Traversal. it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite.
|
|||||
| CVE-2024-29196 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | N/A | 3.8 LOW |
|
phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. This vulnerability is fixed in 3.2.6.
|
|||||
| CVE-2023-28163 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-09 | N/A | 6.5 MEDIUM |
|
When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. <br>*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
|
|||||
| CVE-2024-25123 | 1 Open-mss | 1 Mission Support System | 2025-01-09 | N/A | 7.3 HIGH |
|
MSS (Mission Support System) is an open source package designed for planning atmospheric research flights. In file: `index.py`, there is a method that is vulnerable to path manipulation attack. By modifying file paths, an attacker can acquire sensitive information from different resources. The `filename` variable is joined with other variables to form a file path in `_file`. However, `filename` is a route parameter that can capture path type values i.e. values including slashes (\). So it is pos ...
Show More |
|||||
| CVE-2024-25620 | 1 Helm | 1 Helm | 2025-01-09 | N/A | 6.4 MEDIUM |
|
Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by ...
Show More |
|||||
| CVE-2023-27640 | 1 Tshirtecommerce | 1 Custom Product Designer | 2025-01-08 | N/A | 7.5 HIGH |
|
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter type in the /tshirtecommerce/fonts.php endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). The content of the file is returned with base64 encoding. This is exploited in the wild in March 2023.
|
|||||
| CVE-2023-33524 | 1 Advent | 1 Tamale Rms | 2025-01-08 | N/A | 5.3 MEDIUM |
|
Advent/SSC Inc. Tamale RMS < 23.1 is vulnerable to Directory Traversal. If one traverses to the affected URL, one enumerates Contact information on the host which contains usernames, e-mail addresses, and other internal information stored within the web app.
|
|||||
| CVE-2023-34407 | 1 Harbingergroup | 1 Office Player | 2025-01-08 | N/A | 7.5 HIGH |
|
OfflinePlayerService.exe in Harbinger Offline Player 4.0.6.0.2 allows directory traversal as LocalSystem via ..\ in a URL.
|
|||||
| CVE-2024-43996 | 1 Wpmet | 1 Elementskit | 2025-01-08 | N/A | 6.5 MEDIUM |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ElementsKit ElementsKit Pro allows PHP Local File Inclusion.This issue affects ElementsKit Pro: from n/a through 3.6.0.
|
|||||
| CVE-2023-34409 | 1 Percona | 1 Monitoring And Management | 2025-01-08 | N/A | 9.8 CRITICAL |
|
In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure.
|
|||||
| CVE-2023-33747 | 1 Mgt-commerce | 1 Cloudpanel | 2025-01-08 | N/A | 7.8 HIGH |
|
CloudPanel v2.2.2 allows attackers to execute a path traversal.
|
|||||
| CVE-2024-28088 | 1 Langchain | 1 Langchain | 2025-01-08 | N/A | 8.1 HIGH |
|
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)
|
|||||
| CVE-2024-37464 | 1 Wpzoom | 1 Beaver Builder Addons | 2025-01-08 | N/A | 4.9 MEDIUM |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPZOOM Beaver Builder Addons by WPZOOM allows Path Traversal.This issue affects Beaver Builder Addons by WPZOOM: from n/a through 1.3.5.
|
|||||
| CVE-2024-25693 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2025-01-08 | N/A | 9.9 CRITICAL |
|
There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory.
|
|||||
| CVE-2024-12105 | 1 Progress | 1 Whatsup Gold | 2025-01-08 | N/A | 6.5 MEDIUM |
|
In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
|
|||||
| CVE-2024-49082 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-08 | N/A | 6.8 MEDIUM |
|
Windows File Explorer Information Disclosure Vulnerability
|
|||||
| CVE-2024-54382 | 1 Bold-themes | 1 Bold Page Builder | 2025-01-07 | N/A | 4.9 MEDIUM |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BoldThemes Bold Page Builder allows Path Traversal.This issue affects Bold Page Builder: from n/a through 5.1.5.
|
|||||