Total
8266 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7950 | 1 Wpjobportal | 1 Wp Job Portal | 2024-10-04 | N/A | 9.8 CRITICAL |
|
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access control ...
Show More |
|||||
| CVE-2024-47071 | 2024-10-04 | N/A | 6.8 MEDIUM | ||
|
OSS Endpoint Manager is an endpoint manager module for FreePBX. OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with the permissions of the webserver process. This vulnerability is fixed in 14.0.4.
|
|||||
| CVE-2024-9100 | 2024-10-04 | N/A | 6.5 MEDIUM | ||
|
Zohocorp ManageEngine Analytics Plus versions before 5410 and Zoho Analytics On-Premise versions before 5410 are vulnerable to Path traversal.
|
|||||
| CVE-2024-44017 | 2024-10-04 | N/A | 7.5 HIGH | ||
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in MinHyeong Lim MH Board allows PHP Local File Inclusion.This issue affects MH Board: from n/a through 1.3.2.1.
|
|||||
| CVE-2021-27916 | 1 Acquia | 1 Mautic | 2024-10-02 | N/A | 8.1 HIGH |
|
Prior to the patched version, logged in users of Mautic are vulnerable to Relative Path Traversal/Arbitrary File Deletion. Regardless of the level of access the Mautic user had, they could delete files other than those in the media folders such as system files, libraries or other important files.
This vulnerability exists in the implementation of the GrapesJS builder in Mautic.
|
|||||
| CVE-2024-47292 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-01 | N/A | 5.5 MEDIUM |
|
Path traversal vulnerability in the Bluetooth module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2024-8704 | 1 Advancedfilemanager | 1 Advanced File Manager | 2024-10-01 | N/A | 7.2 HIGH |
|
The Advanced File Manager plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 5.2.8 via the 'fma_locale' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other ...
Show More |
|||||
| CVE-2024-8941 | 1 Scriptcase | 1 Scriptcase | 2024-09-30 | N/A | 5.3 MEDIUM |
|
Path traversal vulnerability in Scriptcase version 9.4.019, in /scriptcase/devel/compat/nm_edit_php_edit.php (in the “subpage” parameter), which allows unauthenticated remote users to bypass SecurityManager's intended restrictions and list and/or read a parent directory via a “/...” or directly into a path used in the POST parameter “field_file” by a web application.
|
|||||
| CVE-2024-6786 | 1 Moxa | 1 Mxview One | 2024-09-30 | N/A | 6.5 MEDIUM |
|
The vulnerability allows an attacker to craft MQTT messages that include relative path traversal sequences, enabling them to read arbitrary files on the system. This could lead to the disclosure of sensitive information, such as configuration files and JWT signing secrets.
|
|||||
| CVE-2024-8671 | 1 Exthemes | 1 Wooevents | 2024-09-26 | N/A | 9.1 CRITICAL |
|
The WooEvents - Calendar and Event Booking plugin for WordPress is vulnerable to arbitrary file overwrite due to insufficient file path validation in the inc/barcode.php file in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to overwrite arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
|
|||||
| CVE-2024-8538 | 1 Infiniteuploads | 1 Big File Uploads | 2024-09-26 | N/A | 4.3 MEDIUM |
|
The Big File Uploads – Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with author-level access and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to ...
Show More |
|||||
| CVE-2024-44048 | 2024-09-26 | N/A | 6.5 MEDIUM | ||
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpWax Product Carousel Slider & Grid Ultimate for WooCommerce allows PHP Local File Inclusion.This issue affects Product Carousel Slider & Grid Ultimate for WooCommerce: from n/a through 1.9.10.
|
|||||
| CVE-2024-45604 | 1 Contao | 1 Contao | 2024-09-25 | N/A | 4.3 MEDIUM |
|
Contao is an Open Source CMS. In affected versions authenticated users in the back end can list files outside the document root in the file selector widget. Users are advised to update to Contao 4.13.49. There are no known workarounds for this vulnerability.
|
|||||
| CVE-2024-45312 | 1 Overleaf | 1 Overleaf | 2024-09-25 | N/A | 5.3 MEDIUM |
|
Overleaf is a web-based collaborative LaTeX editor. Overleaf Community Edition and Server Pro prior to version 5.0.7 (or 4.2.7 for the 4.x series) contain a vulnerability that allows an arbitrary language parameter in client spelling requests to be passed to the `aspell` executable running on the server. This causes `aspell` to attempt to load a dictionary file with an arbitrary filename. File access is limited to the scope of the overleaf server. The problem is patched in versions 5.0.7 and 4 ...
Show More |
|||||
| CVE-2024-21753 | 1 Fortinet | 1 Forticlient Endpoint Management Server | 2024-09-25 | N/A | 6.0 MEDIUM |
|
A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiClientEMS versions 7.2.0 through 7.2.4, 7.0.0 through 7.0.13, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8, 1.2.1 through 1.2.5 allows attacker to perform a denial of service, read or write a limited number of files via specially crafted HTTP requests
|
|||||
| CVE-2024-33109 | 2 Ergophone, Yealink | 4 Tiptel Ip 286, Tiptel Ip 286 Firmware, Sip-t28p and 1 more | 2024-09-25 | N/A | 9.8 CRITICAL |
|
Directory Traversal in the web interface of the Tiptel IP 286 with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via the Ringtone upload function.
|
|||||
| CVE-2024-7609 | 1 Vidco | 1 Voc Tester | 2024-09-23 | N/A | 7.5 HIGH |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Vidco Software VOC TESTER allows Path Traversal.This issue affects VOC TESTER: before 12.34.8.
|
|||||
| CVE-2024-8875 | 1 Wcms | 1 Wcms | 2024-09-20 | 5.5 MEDIUM | 9.1 CRITICAL |
|
A vulnerability classified as critical was found in vedees wcms up to 0.3.2. Affected by this vulnerability is an unknown functionality of the file /wex/finder.php. The manipulation of the argument p leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-8752 | 2 Microsoft, Smart-hmi | 2 Windows, Webiq | 2024-09-20 | N/A | 7.5 HIGH |
|
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.
|
|||||
| CVE-2024-9032 | 1 Oretnom23 | 1 Simple Forum\/discussion System | 2024-09-20 | 6.5 MEDIUM | 8.8 HIGH |
|
A vulnerability, which was classified as critical, was found in SourceCodester Simple Forum-Discussion System 1.0. Affected is an unknown function of the file /index.php. The manipulation of the argument page leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8876 | 1 Xiaohe4966 | 1 Tpmecms | 2024-09-20 | 4.0 MEDIUM | 7.5 HIGH |
|
A vulnerability, which was classified as problematic, has been found in xiaohe4966 TpMeCMS up to 1.3.3.1. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.3.2 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2024-8778 | 1 Syscomgo | 1 Omflow | 2024-09-20 | N/A | 6.5 MEDIUM |
|
OMFLOW from The SYSCOM Group does not properly validate user input of the download functionality, allowing remote attackers with regular privileges to read arbitrary system files.
|
|||||
| CVE-2024-23657 | 1 Nuxt | 1 Nuxt | 2024-09-20 | N/A | 8.8 HIGH |
|
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. In certain configurations an attacker could leak the devtools authentication token and ...
Show More |
|||||
| CVE-2024-42501 | 2024-09-20 | N/A | 7.2 HIGH | ||
|
An authenticated Path Traversal vulnerabilities exists in the ArubaOS. Successful exploitation of this vulnerability allows an attacker to install unsigned packages on the underlying operating system, enabling the threat actor to execute arbitrary code or install implants.
|
|||||
| CVE-2024-45601 | 2024-09-20 | N/A | 7.5 HIGH | ||
|
Mesop is a Python-based UI framework designed for rapid web apps development. A vulnerability has been discovered and fixed in Mesop that could potentially allow unauthorized access to files on the server hosting the Mesop application. The vulnerability was related to insufficient input validation in a specific endpoint. This could have allowed an attacker to access files not intended to be served. Users are strongly advised to update to the latest version of Mesop immediately. The latest versio ...
Show More |
|||||
| CVE-2024-8304 | 1 Jpress | 1 Jpress | 2024-09-19 | 5.8 MEDIUM | 4.9 MEDIUM |
|
A vulnerability has been found in jpress up to 5.1.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/template/edit of the component Template Module Handler. The manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-45388 | 1 Hoverfly | 1 Hoverfly | 2024-09-19 | N/A | 7.5 HIGH |
|
Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The `/api/v2/simulation` POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server. Note that, although the code prevents absolute paths from being specified, an attacker can escape out of the `hf.Cfg.ResponsesBodyFilesPath` base path by using `../` segm ...
Show More |
|||||
| CVE-2024-7961 | 1 Rockwellautomation | 1 Pavilion8 | 2024-09-19 | N/A | 9.8 CRITICAL |
|
A path traversal vulnerability exists in the Rockwell Automation affected product. If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.
|
|||||
| CVE-2024-8782 | 1 Heyewei | 1 Jfinalcms | 2024-09-19 | 6.5 MEDIUM | 9.8 CRITICAL |
|
A vulnerability was found in JFinalCMS up to 1.0. It has been rated as critical. This issue affects the function delete of the file /admin/template/edit. The manipulation of the argument name leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-42485 | 1 Pxlrbt | 1 Filament Excel | 2024-09-18 | N/A | 7.5 HIGH |
|
Filament Excel enables excel export for Filament admin resources. The export download route `/filament-excel/{path}` allowed downloading any file without login when the webserver allows `../` in the URL. Patched with Version v2.3.3.
|
|||||
| CVE-2024-8865 | 1 Composio | 1 Composio | 2024-09-17 | 2.7 LOW | 4.9 MEDIUM |
|
A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Affected by this issue is the function path of the file composio\server\api.py. The manipulation of the argument file leads to path traversal. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-42474 | 2 Microsoft, Snowflake | 2 Windows, Streamlit | 2024-09-16 | N/A | 6.5 MEDIUM |
|
Streamlit is a data oriented application development framework for python. Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit. The vulnerability was patched on Jul 25, 2024, as part of Streamlit o ...
Show More |
|||||
| CVE-2024-7928 | 1 Fastadmin | 1 Fastadmin | 2024-09-13 | 4.0 MEDIUM | 7.5 HIGH |
|
A vulnerability, which was classified as problematic, has been found in FastAdmin up to 1.3.3.20220121. Affected by this issue is some unknown functionality of the file /index/ajax/lang. The manipulation of the argument lang leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.4.20220530 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2024-43797 | 1 Audiobookshelf | 1 Audiobookshelf | 2024-09-13 | N/A | 4.3 MEDIUM |
|
audiobookshelf is a self-hosted audiobook and podcast server. A non-admin user is not allowed to create libraries (or access only the ones they have permission to). However, the `LibraryController` is missing the check for admin user and thus allows a path traversal issue. Allowing non-admin users to write to any directory in the system can be seen as a form of path traversal. However, since it can be restricted to only admin permissions, fixing this is relatively simple and falls more into the ...
Show More |
|||||
| CVE-2024-7145 | 1 Crocoblock | 1 Jetelements | 2024-09-13 | N/A | 8.8 HIGH |
|
The JetElements plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.20 via the 'progress_type' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types ...
Show More |
|||||
| CVE-2024-43129 | 1 Wpdeveloper | 1 Betterdocs | 2024-09-12 | N/A | 8.8 HIGH |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPDeveloper BetterDocs allows PHP Local File Inclusion.This issue affects BetterDocs: from n/a through 3.5.8.
|
|||||
| CVE-2024-43135 | 1 Themewinter | 1 Wpcafe | 2024-09-12 | N/A | 8.8 HIGH |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themewinter WPCafe allows PHP Local File Inclusion.This issue affects WPCafe: from n/a through 2.2.28.
|
|||||
| CVE-2024-43138 | 1 Mage-people | 1 Event Manager And Tickets Selling For Woocommerce | 2024-09-12 | N/A | 8.8 HIGH |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in MagePeople Team Event Manager for WooCommerce allows PHP Local File Inclusion.This issue affects Event Manager for WooCommerce: from n/a through 4.2.1.
|
|||||
| CVE-2024-6312 | 1 Funnelforms | 1 Funnelforms Free | 2024-09-12 | N/A | 6.5 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 3.7.3.2 via the 'af2DeleteFontFile' function. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
|
|||||
| CVE-2024-6445 | 1 Dataflowx | 1 Datadiodex | 2024-09-12 | N/A | 7.5 HIGH |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DataFlowX Technology DataDiodeX allows Path Traversal.This issue affects DataDiodeX: from v3.0.0 before v3.1.7.
|
|||||