Total
8266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-29006 | 1 Rconfig | 1 Rconfig | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
rConfig 3.9.6 is affected by a Local File Disclosure vulnerability. An authenticated user may successfully download any file on the server.
|
|||||
| CVE-2021-28966 | 2 Microsoft, Ruby-lang | 2 Windows, Ruby | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.
|
|||||
| CVE-2021-28959 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.
|
|||||
| CVE-2021-28798 | 1 Qnap | 2 Qts, Quts Hero | 2024-11-21 | 5.0 MEDIUM | 8.8 HIGH |
|
A relative path traversal vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to modify files that impact system integrity. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.2.1630 Build 20210406 and later QTS 4.3.6.1663 Build 20210504 and later QTS 4.3.3.1624 Build 20210416 and later QuTS hero h4.5.2.1638 Build 20210414 and later QNAP NAS running QTS 4.5.3 are not affected.
|
|||||
| CVE-2021-28658 | 3 Debian, Djangoproject, Fedoraproject | 3 Debian Linux, Django, Fedora | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
|
|||||
| CVE-2021-28644 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2024-11-21 | N/A | 7.8 HIGH |
|
Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Path traversal vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
|
|||||
| CVE-2021-28588 | 1 Adobe | 1 Robohelp Server | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
Adobe RoboHelp Server version 2019.0.9 (and earlier) is affected by a Path Traversal vulnerability when parsing a crafted HTTP POST request. An authenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
|
|||||
| CVE-2021-28584 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 5.4 MEDIUM |
|
Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Path Traversal vulnerability when creating a store with child theme.Successful exploitation could lead to arbitrary file system write by an authenticated attacker. Access to the admin console is required for successful exploitation.
|
|||||
| CVE-2021-28485 | 1 Ericsson | 2 Mobile Switching Center Server Bc 18a, Mobile Switching Center Server Bc 18a Firmware | 2024-11-21 | N/A | 4.3 MEDIUM |
|
In Ericsson Mobile Switching Center Server (MSC-S) before IS 3.1 CP22, the SIS web application allows relative path traversal via a specific parameter in the https request after authentication, which allows access to files on the system that are not intended to be accessible via the web application.
|
|||||
| CVE-2021-28377 | 1 Chronoengine | 1 Chronoforums | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary files.
|
|||||
| CVE-2021-28376 | 1 Chronoengine | 1 Chronoforums | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
|
ChronoForms 7.0.7 allows fname Directory Traversal to read arbitrary files.
|
|||||
| CVE-2021-28209 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
|
The specific function in ASUS BMC’s firmware Web management page (Delete video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.
|
|||||
| CVE-2021-28208 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
|
The specific function in ASUS BMC’s firmware Web management page (Get video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.
|
|||||
| CVE-2021-28207 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
|
The specific function in ASUS BMC’s firmware Web management page (Get Help file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.
|
|||||
| CVE-2021-28206 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
|
The specific function in ASUS BMC’s firmware Web management page (Record video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.
|
|||||
| CVE-2021-28205 | 1 Asus | 6 Asmb8-ikvm, Asmb8-ikvm Firmware, Z10pe-d16 Ws and 3 more | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
|
The specific function in ASUS BMC’s firmware Web management page (Delete SOL video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files.
|
|||||
| CVE-2021-28172 | 1 Deltaflow Project | 1 Deltaflow | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
There is a Path Traversal vulnerability in the file download function of Vangene deltaFlow E-platform. Remote attackers can access credential data with this leakage.
|
|||||
| CVE-2021-28149 | 1 Hongdian | 2 H8922, H8922 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file.
|
|||||
| CVE-2021-28042 | 1 Deutschepost | 1 Mailoptimizer | 2024-11-21 | 8.3 HIGH | 7.8 HIGH |
|
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
|
|||||
| CVE-2021-27771 | 1 Hcltech | 1 Sametime | 2024-11-21 | 6.5 MEDIUM | 8.2 HIGH |
|
User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages, receiving notifications and/or transferring files.
|
|||||
| CVE-2021-27755 | 1 Hcltech | 1 Hcl Sametime | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
"Sametime Android potential path traversal vulnerability when using File class"
|
|||||
| CVE-2021-27753 | 1 Hcltech | 1 Hcl Sametime | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
"Sametime Android PathTraversal Vulnerability"
|
|||||
| CVE-2021-27473 | 1 Rockwellautomation | 1 Connected Components Workbench | 2024-11-21 | 6.9 MEDIUM | 6.1 MEDIUM |
|
Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level p ...
Show More |
|||||
| CVE-2021-27471 | 1 Rockwellautomation | 1 Connected Components Workbench | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
|
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit ...
Show More |
|||||
| CVE-2021-27461 | 1 Emerson | 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected webserver applications allow access to stored data that can be obtained by using specially crafted URLs.
|
|||||
| CVE-2021-27402 | 1 Mitel | 1 Micollab | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL validation, aka Directory Traversal.
|
|||||
| CVE-2021-27367 | 1 Boltcms | 1 Bolt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal.
|
|||||
| CVE-2021-27341 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter.
|
|||||
| CVE-2021-27328 | 1 Yeastar | 2 Neogate Tg400, Neogate Tg400 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key.
|
|||||
| CVE-2021-27278 | 1 Parallels | 1 Parallels Desktop | 2024-11-21 | 4.6 MEDIUM | 8.2 HIGH |
|
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.1-49141. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privil ...
Show More |
|||||
| CVE-2021-27276 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
|
This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MibController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulner ...
Show More |
|||||
| CVE-2021-27275 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
|
This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operat ...
Show More |
|||||
| CVE-2021-27272 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 7.5 HIGH | 7.1 HIGH |
|
This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ReportTemplateController class. When parsing the path parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this ...
Show More |
|||||
| CVE-2021-27030 | 1 Autodesk | 1 Fbx Review | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
|
A user may be tricked into opening a malicious FBX file which may exploit a Directory Traversal Remote Code Execution vulnerability in FBX’s Review causing it to run arbitrary code on the system.
|
|||||
| CVE-2021-26814 | 1 Wazuh | 1 Wazuh | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service script.
|
|||||
| CVE-2021-26736 | 1 Zscaler | 1 Client Connector | 2024-11-21 | N/A | 6.7 MEDIUM |
|
Multiple vulnerabilities in the Zscaler Client Connector Installer and Uninstaller for Windows prior to 3.6 allowed execution of binaries from a low privileged path. A local adversary may be able to execute code with SYSTEM privileges.
|
|||||
| CVE-2021-26725 | 1 Nozominetworks | 2 Central Management Control, Guardian | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
|
Path Traversal vulnerability when changing timezone using web GUI of Nozomi Networks Guardian, CMC allows an authenticated administrator to read-protected system files. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions.
|
|||||
| CVE-2021-26719 | 1 Gradle | 3 Enterprise Test Distribution Agent, Maven, Test Distribution | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
|
A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before 1.8.2. A malicious actor (with certain credentials) can perform a registration step such that crafted TAR archives lead to extraction of files into arbitrary filesystem locations.
|
|||||
| CVE-2021-26629 | 2 Microsoft, Tobesoft | 2 Windows, Xplatform | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A path traversal vulnerability in XPLATFORM's runtime archive function could lead to arbitrary file creation. When the .xzip archive file is decompressed, an arbitrary file can be d in the parent path by using the path traversal pattern ‘..\’.
|
|||||
| CVE-2021-26619 | 2 Bigfile, Microsoft | 2 Bigfileagent, Windows | 2024-11-21 | 6.4 MEDIUM | 7.1 HIGH |
|
An path traversal vulnerability leading to delete arbitrary files was discovered in BigFileAgent. Remote attackers can use this vulnerability to delete arbitrary files of unspecified number of users.
|
|||||