Search
Total
502 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29081 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring. | |||||
| CVE-2022-4779 | 1 Elvexys | 1 Streamx | 2023-08-08 | N/A | 9.8 CRITICAL |
| StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme. StreamX applications using StreamView HTML component with the public web server feature activated are affected. | |||||
| CVE-2022-47945 | 1 Thinkphp | 1 Thinkphp | 2023-08-08 | N/A | 9.8 CRITICAL |
| ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php. | |||||
| CVE-2022-32328 | 1 Fast Food Ordering System Project | 1 Fast Food Ordering System | 2023-08-08 | 6.4 MEDIUM | 9.1 CRITICAL |
| Fast Food Ordering System v1.0 is vulnerable to Delete any file. via /ffos/classes/Master.php?f=delete_img. | |||||
| CVE-2021-22005 | 1 Vmware | 2 Cloud Foundation, Vcenter Server | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file. | |||||
| CVE-2022-32409 | 1 Softwarepublico | 1 I3geo | 2023-08-08 | N/A | 9.8 CRITICAL |
| A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request. | |||||
| CVE-2023-33369 | 1 Assaabloy | 1 Control Id Idsecure | 2023-08-07 | N/A | 9.1 CRITICAL |
| A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service. | |||||
| CVE-2023-26045 | 1 Nodebb | 1 Nodebb | 2023-08-01 | N/A | 9.8 CRITICAL |
| NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to arbitrarily execute javascript files on the local disk. This issue is patched in version 2.8.7. As a workaround, site maintainers can cherry pick the fix into their codebase to patch the exploit. | |||||
| CVE-2023-34478 | 1 Apache | 1 Shiro | 2023-08-01 | N/A | 9.8 CRITICAL |
| Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests. Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+ | |||||
| CVE-2022-46898 | 1 Vocera | 2 Report Server, Voice Server | 2023-08-01 | N/A | 9.8 CRITICAL |
| An issue was discovered in Vocera Report Server and Voice Server 5.x through 5.8. There is Path Traversal via the "restore SQL data" filename. The Vocera Report Console contains a websocket function that allows for the restoration of the database from a ZIP archive that expects a SQL import file. The filename provided is not properly sanitized and allows for the inclusion of a path-traversal payload that can be used to escape the intended Vocera restoration directory. An attacker could exploit this vulnerability to point to a crafted ZIP archive that contains SQL commands that could be executed against the database. | |||||
| CVE-2023-37461 | 1 Metersphere | 1 Metersphere | 2023-07-27 | N/A | 9.8 CRITICAL |
| Metersphere is an opensource testing framework. Files uploaded to Metersphere may define a `belongType` value with a relative path like `../../../../` which may cause metersphere to attempt to overwrite an existing file in the defined location or to create a new file. Attackers would be limited to overwriting files that the metersphere process has access to. This issue has been addressed in version 2.10.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-26563 | 1 Syncfusion | 1 Nodejs File System Provider | 2023-07-26 | N/A | 9.8 CRITICAL |
| The Syncfusion EJ2 Node File Provider 0102271 is vulnerable to filesystem-server.js directory traversal. As a result, an unauthenticated attacker can: - On Windows, list files in any directory, read any file, delete any file, upload any file to any directory accessible by the web server. - On Linux, read any file, download any directory, delete any file, upload any file to any directory accessible by the web server. | |||||
| CVE-2023-26564 | 1 Syncfusion | 1 Ej2 Aspcore File Provider | 2023-07-26 | N/A | 9.8 CRITICAL |
| The Syncfusion EJ2 ASPCore File Provider 3ac357f is vulnerable to Models/PhysicalFileProvider.cs directory traversal. As a result, an unauthenticated attacker can list files within a directory, download any file, or upload any file to any directory accessible by the web server. | |||||
| CVE-2020-11455 | 1 Limesurvey | 1 Limesurvey | 2022-07-30 | 7.5 HIGH | 9.8 CRITICAL |
| LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. | |||||
| CVE-2022-2139 | 1 Advantech | 1 Iview | 2022-07-29 | N/A | 9.8 CRITICAL |
| The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code. | |||||
| CVE-2022-0902 | 1 Abb | 14 Rmc-100, Rmc-100-lite, Rmc-100-lite Firmware and 11 more | 2022-07-28 | N/A | 9.8 CRITICAL |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in flow computer and remote controller products of ABB ( RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5 , XRCG5 , uFLOG5 , UDC) allows an attacker who successfully exploited this vulnerability could insert and run arbitrary code in an affected system node. | |||||
| CVE-2022-23457 | 1 Owasp | 1 Enterprise Security Api | 2022-07-25 | 7.5 HIGH | 9.8 CRITICAL |
| ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this. | |||||
| CVE-2022-31558 | 1 Shiva-server Project | 1 Shiva-server | 2022-07-16 | 6.4 MEDIUM | 9.3 CRITICAL |
| The tooxie/shiva-server repository through 0.10.0 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31557 | 1 Golem Project | 1 Golem | 2022-07-16 | 6.4 MEDIUM | 9.3 CRITICAL |
| The seveas/golem repository through 2016-05-17 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31532 | 1 Travel Blahg Project | 1 Travel Blahg | 2022-07-16 | 6.4 MEDIUM | 9.3 CRITICAL |
| The dankolbman/travel_blahg repository through 2016-01-16 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31530 | 1 Csm Server Project | 1 Csm Server | 2022-07-16 | 6.4 MEDIUM | 9.3 CRITICAL |
| The csm-aut/csm repository through 3.5 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31531 | 1 Dainst | 1 Cilantro | 2022-07-16 | 6.4 MEDIUM | 9.3 CRITICAL |
| The dainst/cilantro repository through 0.0.4 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31588 | 1 Testplatform Project | 1 Testplatform | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The zippies/testplatform repository through 2016-07-19 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31567 | 1 Data Stream Algorithm Benchmark Project | 1 Data Stream Algorithm Benchmark | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The DSABenchmark/DSAB repository through 2.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31544 | 1 Xtomo | 1 Robo-tom | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The meerstein/rbtm repository through 1.5 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31587 | 1 Kg-fashion-chatbot Project | 1 Kg-fashion-chatbot | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The yuriyouzhou/KG-fashion-chatbot repository through 2018-05-22 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31586 | 1 Changepop-back Project | 1 Changepop-back | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The unizar-30226-2019-06/ChangePop-Back repository through 2019-06-04 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31583 | 1 Automatedquizeval Project | 1 Automatedquizeval | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The sravaniboinepelli/AutomatedQuizEval repository through 2020-04-27 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31585 | 1 Home Internet Project | 1 Home Internet | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The umeshpatil-dev/Home__internet repository through 2020-08-28 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31584 | 1 S3label Project | 1 S3label | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The stonethree/s3label repository through 2019-08-14 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31582 | 1 Videoserver Project | 1 Videoserver | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The shaolo1/VideoServer repository through 2019-09-21 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31581 | 1 Scorelab | 1 Openmf | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The scorelab/OpenMF repository before 2022-05-03 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31579 | 1 Iasset Project | 1 Iasset | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The ralphjzhang/iasset repository through 2022-05-04 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31577 | 1 Audio Aligner App Project | 1 Audio Aligner App | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The longmaoteamtf/audio_aligner_app repository through 2020-01-10 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31576 | 1 Shackerpanel Project | 1 Shackerpanel | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The heidi-luong1109/shackerpanel repository through 2021-05-25 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31580 | 1 Caretakerr-api Project | 1 Caretakerr-api | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The sanojtharindu/caretakerr-api repository through 2021-05-17 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31575 | 1 Livro Python Project | 1 Livro Python | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The duducosmos/livro_python repository through 2018-06-06 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31574 | 1 Realestate Project | 1 Realestate | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The deepaliupadhyay/RealEstate repository through 2018-11-30 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31573 | 1 Chainer | 1 Chainerrl-visualizer | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The chainer/chainerrl-visualizer repository through 0.1.1 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31571 | 1 Python-flask-restful-api Project | 1 Python-flask-restful-api | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The akashtalole/python-flask-restful-api repository through 2019-09-16 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31572 | 1 Cockybook Project | 1 Cockybook | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The ceee-vip/cockybook repository through 2015-04-16 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31570 | 1 Ceneo-web-scrapper Project | 1 Ceneo-web-scrapper | 2022-07-15 | 7.5 HIGH | 9.8 CRITICAL |
| The adriankoczuruek/ceneo-web-scrapper repository through 2021-03-15 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31568 | 1 Rexians | 1 Rex-web | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The Rexians/rex-web repository through 2022-06-05 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31556 | 1 Trainenergyserver Project | 1 Trainenergyserver | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The rusyasoft/TrainEnergyServer repository through 2017-08-03 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31555 | 1 Nurse Quest Project | 1 Nurse Quest | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The romain20100/nursequest repository through 2018-02-22 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31554 | 1 Movie-review-sentiment-analysis Project | 1 Movie-review-sentiment-analysis | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The rohitnayak/movie-review-sentiment-analysis repository through 2017-05-07 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31552 | 1 Anuvaad-corpus Project | 1 Anuvaad-corpus | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The project-anuvaad/anuvaad-corpus repository through 2020-11-23 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31551 | 1 Flask-mongo-skel Project | 1 Flask-mongo-skel | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The pleomax00/flask-mongo-skel repository through 2012-11-01 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31553 | 1 Sleep Learner Project | 1 Sleep Learner | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The rainsoupah/sleep-learner repository through 2021-02-21 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||
| CVE-2022-31550 | 1 Python Athena Stack Project | 1 Python Athena Stack | 2022-07-15 | 6.4 MEDIUM | 9.3 CRITICAL |
| The olmax99/pyathenastack repository through 2019-11-08 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | |||||