Search
Total
907 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-1744 | 1 Ibm | 1 Security Key Lifecycle Manager | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148423. | |||||
| CVE-2018-1079 | 2 Clusterlabs, Redhat | 2 Pacemaker Command Line Interface, Enterprise Linux | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| pcs before version 0.9.164 and 0.10 is vulnerable to a privilege escalation via authorized user malicious REST call. The REST interface of the pcsd service did not properly sanitize the file name from the /remote/put_file query. If the /etc/booth directory exists, an authenticated attacker with write permissions could create or overwrite arbitrary files with arbitrary data outside of the /etc/booth directory, in the context of the pcsd process. | |||||
| CVE-2018-1649 | 1 Ibm | 1 Qradar Incident Forensics | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| IBM QRadar Incident Forensics 7.2 and 7.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 144655. | |||||
| CVE-2018-1656 | 3 Ibm, Oracle, Redhat | 6 Sdk, Enterprise Manager Base Platform, Enterprise Linux Desktop and 3 more | 2019-10-09 | 4.3 MEDIUM | 6.5 MEDIUM |
| The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. | |||||
| CVE-2018-1047 | 1 Redhat | 3 Enterprise Linux Server, Jboss Enterprise Application Platform, Jboss Wildfly Application Server | 2019-10-09 | 2.1 LOW | 5.5 MEDIUM |
| A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead to information disclosure of arbitrary local files. | |||||
| CVE-2018-18990 | 1 Lcds | 1 Laquis Scada | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| LCDS Laquis SCADA prior to version 4.1.0.4150 allows a user-supplied path in file operations prior to proper validation. An attacker can leverage this vulnerability to disclose sensitive information under the context of the web server process. | |||||
| CVE-2018-16473 | 1 Takeapeek Project | 1 Takeapeek | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A path traversal in takeapeek module versions <=0.2.2 allows an attacker to list directory and files. | |||||
| CVE-2018-16478 | 1 Simplehttpserver Project | 1 Simplehttpserver | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| A Path Traversal in simplehttpserver versions <=0.2.1 allows to list any file in another folder of web root. | |||||
| CVE-2018-16485 | 1 M-server Project | 1 M-server | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL request. | |||||
| CVE-2018-13299 | 1 Synology | 1 Calendar | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter. | |||||
| CVE-2018-1002208 | 1 Sharpziplib Project | 1 Sharpziplib | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | |||||
| CVE-2018-1002209 | 1 Quazip Project | 1 Quazip | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| QuaZIP before 0.7.6 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | |||||
| CVE-2018-1002202 | 1 Zip4j Project | 1 Zip4j | 2019-10-09 | 5.8 MEDIUM | 6.5 MEDIUM |
| zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | |||||
| CVE-2018-1002203 | 1 Unzipper Project | 1 Unzipper | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| unzipper npm library before 0.8.13 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | |||||
| CVE-2018-1002205 | 1 Dotnetzip.semverd Project | 1 Dotnetzip.semverd | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | |||||
| CVE-2018-1002206 | 1 Sharpcompress Project | 1 Sharpcompress | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| SharpCompress before 0.21.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | |||||
| CVE-2018-1002207 | 1 Archiver Project | 1 Archiver | 2019-10-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| mholt/archiver golang package before e4ef56d48eb029648b0e895bb0b6a393ef0829c3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | |||||
| CVE-2018-0123 | 1 Cisco | 2 Ios, Ios Xe | 2019-10-09 | 4.9 MEDIUM | 5.5 MEDIUM |
| A Path Traversal vulnerability in the diagnostic shell for Cisco IOS and IOS XE Software could allow an authenticated, local attacker to use certain diagnostic shell commands that can overwrite system files. These system files may be sensitive and should not be able to be overwritten by a user of the diagnostic shell. The vulnerability is due to lack of proper input validation for certain diagnostic shell commands. An attacker could exploit this vulnerability by authenticating to the device, entering the diagnostic shell, and providing crafted user input to commands at the local diagnostic shell CLI. Successful exploitation could allow the attacker to overwrite system files that should be restricted. Cisco Bug IDs: CSCvg41950. | |||||
| CVE-2018-0323 | 1 Cisco | 1 Network Functions Virtualization Infrastructure | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web management interface of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, remote attacker to conduct a path traversal attack on a targeted system. The vulnerability is due to insufficient validation of web request parameters. An attacker who has access to the web management interface of the affected application could exploit this vulnerability by sending a malicious web request to the affected device. A successful exploit could allow the attacker to access sensitive information on the affected system. Cisco Bug IDs: CSCvh99631. | |||||
| CVE-2017-6758 | 1 Cisco | 1 Unified Communications Manager | 2019-10-09 | 6.8 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web framework of Cisco Unified Communications Manager 11.5(1.10000.6) could allow an authenticated, remote attacker to access arbitrary files in the context of the web root directory structure on an affected device. The vulnerability is due to insufficient input validation by the affected software. An attacker could exploit this vulnerability by using directory traversal techniques to read files in the web root directory structure on the Cisco Unified Communications Manager filesystem. Cisco Bug IDs: CSCve13796. | |||||
| CVE-2017-7424 | 1 Microfocus | 2 Enterprise Developer, Enterprise Server | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro Focus Enterprise Developer and Enterprise Server 2.3, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9 allows remote authenticated users to download arbitrary files from a system running the product, if this component is configured. Note esfadmingui is not enabled by default. | |||||
| CVE-2017-6020 | 1 Lcds | 1 Laquis Scada | 2019-10-09 | 4.0 MEDIUM | 5.3 MEDIUM |
| Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA ME LAquis SCADA software versions prior to version 4.1.0.3237 do not neutralize external input to ensure that users are not calling for absolute path sequences outside of their privilege level. | |||||
| CVE-2017-3188 | 1 Dotcms | 1 Dotcms | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| The dotCMS administration panel, versions 3.7.1 and earlier, "Push Publishing" feature in Enterprise Pro is vulnerable to path traversal. When "Bundle" tar.gz archives uploaded to the Push Publishing feature are decompressed, the filenames of its contents are not properly checked, allowing for writing files to arbitrary directories on the file system. These archives may be uploaded directly via the administrator panel, or using the CSRF vulnerability (CVE-2017-3187). An unauthenticated remote attacker may perform actions with the dotCMS administrator panel with the same permissions of a victim user or execute arbitrary system commands with the permissions of the user running the dotCMS application. | |||||
| CVE-2017-1749 | 1 Ibm | 1 Urbancode Deploy | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM UrbanCode Deploy 6.1 through 6.9.6.0 could allow a remote attacker to traverse directories on the system. An unauthenticated attacker could alter UCD deployments. IBM X-Force ID: 135522. | |||||
| CVE-2017-2595 | 1 Redhat | 2 Enterprise Linux, Jboss Enterprise Application Platform | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal. | |||||
| CVE-2017-16222 | 1 Elding Project | 1 Elding | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a 404 on etc/passwd/index.js. | |||||
| CVE-2017-16179 | 1 Dasafio Project | 1 Dasafio | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| dasafio is a web server. dasafio is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. File access is restricted to only .html files. | |||||
| CVE-2017-16109 | 1 Easyquick Project | 1 Easyquick | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| easyquick is a simple web server. easyquick is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Access is constrained, however, to supported file types. Requesting a file such as /etc/passwd returns a "not supported" error. | |||||
| CVE-2017-15895 | 1 Synology | 1 Router Manager | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) before 1.1.5-6542-4 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. | |||||
| CVE-2017-15893 | 1 Synology | 1 File Station | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology File Station before 1.1.1-0099 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. | |||||
| CVE-2017-15894 | 1 Synology | 1 Diskstation Manager | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter. | |||||
| CVE-2017-12285 | 1 Cisco | 1 Prime Network Analysis Module | 2019-10-09 | 6.4 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web interface of Cisco Network Analysis Module Software could allow an unauthenticated, remote attacker to delete arbitrary files from an affected system, aka Directory Traversal. The vulnerability exists because the affected software does not perform proper input validation of HTTP requests that it receives and the software does not apply role-based access controls (RBACs) to requested HTTP URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. A successful exploit could allow the attacker to delete arbitrary files from the affected system. Cisco Bug IDs: CSCvf41365. | |||||
| CVE-2017-12074 | 1 Synology | 1 Dns Server | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZoneConf in Synology DNS Server before 2.2.1-3042 allows remote authenticated attackers to write arbitrary files via the domain_name parameter. | |||||
| CVE-2017-11162 | 1 Synology | 1 Photo Station | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors. | |||||
| CVE-2017-0930 | 1 Augustine Project | 1 Augustine | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| augustine node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path. | |||||
| CVE-2016-7041 | 1 Redhat | 2 Jboss Brms, Jboss Drools | 2019-10-09 | 6.8 MEDIUM | 6.5 MEDIUM |
| Drools Workbench contains a path traversal vulnerability. The vulnerability allows a remote, authenticated attacker to bypass the directory restrictions and retrieve arbitrary files from the affected host. | |||||
| CVE-2016-10561 | 1 Bitty Project | 1 Bitty | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| Bitty is a development web server tool that functions similar to `python -m SimpleHTTPServer`. Version 0.2.10 has a directory traversal vulnerability that is exploitable via the URL path in GET requests. | |||||
| CVE-2016-10528 | 1 Restafary Project | 1 Restafary | 2019-10-09 | 4.0 MEDIUM | 4.9 MEDIUM |
| restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it specified. | |||||
| CVE-2019-16198 | 1 Kslabs | 1 Ksweb | 2019-10-09 | 4.0 MEDIUM | 6.5 MEDIUM |
| KSLabs KSWEB 3.93 allows ../ directory traversal, as demonstrated by the hostFile parameter. | |||||
| CVE-2019-17073 | 1 Emlog | 1 Emlog | 2019-10-04 | 5.5 MEDIUM | 6.5 MEDIUM |
| emlog through 6.0.0beta allows remote authenticated users to delete arbitrary files via admin/template.php?action=del&tpl=../ directory traversal. | |||||
| CVE-2018-9038 | 1 Monstra | 1 Monstra | 2019-10-03 | 5.5 MEDIUM | 6.5 MEDIUM |
| Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request. | |||||
| CVE-2018-7296 | 1 Eq-3 | 2 Homematic Central Control Unit Ccu2, Homematic Central Control Unit Ccu2 Firmware | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| Directory Traversal / Arbitrary File Read in User.getLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to read the first line of an arbitrary file on the CCU2's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface. | |||||
| CVE-2017-8314 | 2 Debian, Kodi | 2 Debian Linux, Kodi | 2019-10-03 | 4.3 MEDIUM | 5.5 MEDIUM |
| Directory Traversal in Zip Extraction built-in function in Kodi 17.1 and earlier allows arbitrary file write on disk via a Zip file as subtitles. | |||||
| CVE-2018-10917 | 1 Pulpproject | 1 Pulp | 2019-10-03 | 4.0 MEDIUM | 6.5 MEDIUM |
| pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories. | |||||
| CVE-2018-7770 | 1 Schneider-electric | 1 U.motion | 2019-10-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| The vulnerability exists within processing of sendmail.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The applet allows callers to select arbitrary files to send to an arbitrary email address. | |||||
| CVE-2018-9159 | 1 Sparkjava | 1 Spark | 2019-10-03 | 5.0 MEDIUM | 5.3 MEDIUM |
| In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark. | |||||
| CVE-2017-16759 | 1 Librenms | 1 Librenms | 2019-10-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| The installation process in LibreNMS before 2017-08-18 allows remote attackers to read arbitrary files, related to html/install.php. | |||||
| CVE-2010-0467 | 2 Chillcreations, Joomla | 2 Com Ccnewsletter, Joomla\! | 2019-09-27 | 5.0 MEDIUM | 5.8 MEDIUM |
| Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php. | |||||
| CVE-2019-16903 | 1 Plutinosoft | 1 Platinum | 2019-09-26 | 5.0 MEDIUM | 5.3 MEDIUM |
| Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /.. where it should be checking for ../ instead. | |||||
| CVE-2019-16679 | 1 Gilacms | 1 Gila Cms | 2019-09-23 | 4.0 MEDIUM | 4.9 MEDIUM |
| Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion. | |||||