Total
7656 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-52953 | 1 Huawei | 2 Emui, Harmonyos | 2025-01-13 | 6.2 Medium |
| Path traversal vulnerability in the Medialibrary module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality. | ||||
| CVE-2023-2435 | 1 Blog-in-blog Project | 1 Blog-in-blog | 2025-01-13 | 7.2 High |
| The Blog-in-Blog plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.1 via a shortcode attribute. This allows editor-level, and above, attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2022-29081 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2025-01-13 | 9.8 Critical |
| Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring. | ||||
| CVE-2022-47595 | 1 Codecabin | 1 Wp Go Maps | 2025-01-13 | 4.9 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Go Maps (formerly WP Google Maps) plugin <= 9.0.15 versions. | ||||
| CVE-2025-0401 | 2025-01-13 | 5.3 Medium | ||
| A vulnerability classified as critical has been found in 1902756969 reggie 1.0. Affected is the function download of the file src/main/java/com/itheima/reggie/controller/CommonController.java. The manipulation of the argument name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-38819 | 1 Redhat | 1 Apache Camel Spring Boot | 2025-01-10 | 7.5 High |
| Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. | ||||
| CVE-2024-10005 | 1 Hashicorp | 1 Consul | 2025-01-10 | 8.1 High |
| A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. | ||||
| CVE-2023-30197 | 1 Webbax | 1 Myinventory | 2025-01-09 | 7.5 High |
| Incorrect Access Control in the module "My inventory" (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack. | ||||
| CVE-2023-2909 | 1 Asustor | 1 Adm | 2025-01-09 | 8.5 High |
| EZ Sync service fails to adequately handle user input, allowing an attacker to navigate beyond the intended directory structure and delete files. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below. | ||||
| CVE-2023-29159 | 1 Encode | 1 Starlette | 2025-01-09 | 7.5 High |
| Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette. | ||||
| CVE-2023-27639 | 1 Tshirtecommerce | 1 Custom Product Designer | 2025-01-09 | 7.5 High |
| An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with the POST parameter file_name in the tshirtecommerce/ajax.php?type=svg endpoint, to allow a remote attacker to traverse directories on the system in order to open files (without restriction on the extension and path). Only files that can be parsed in XML can be opened. This is exploited in the wild in March 2023. | ||||
| CVE-2023-25750 | 1 Mozilla | 1 Firefox | 2025-01-09 | 4.3 Medium |
| Under certain circumstances, a ServiceWorker's offline cache may have leaked to the file system when using private browsing mode. This vulnerability affects Firefox < 111. | ||||
| CVE-2024-9575 | 1 Rami.io Gmbh | 1 Pretiix Widget Wordpress Plugin | 2025-01-09 | N/A |
| Local File Inclusion vulnerability in pretix Widget WordPress plugin pretix-widget on Windows allows PHP Local File Inclusion. This issue affects pretix Widget WordPress plugin: from 1.0.0 through 1.0.5. | ||||
| CVE-2023-29736 | 1 Timmystudios | 1 Keyboard Themes | 2025-01-09 | 9.8 Critical |
| Keyboard Themes 1.275.1.164 for Android contains a dictionary traversal vulnerability that allows unauthorized apps to overwrite arbitrary files in its internal storage and achieve arbitrary code execution. | ||||
| CVE-2023-33544 | 1 Hawt | 1 Hawtio | 2025-01-09 | 5.5 Medium |
| hawtio 2.17.2 is vulnerable to Path Traversal. it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite. | ||||
| CVE-2024-29196 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | 3.8 Low |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root. This vulnerability is fixed in 3.2.6. | ||||
| CVE-2023-28163 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-09 | 6.5 Medium |
| When downloading files through the Save As dialog on Windows with suggested filenames containing environment variable names, Windows would have resolved those in the context of the current user. <br>*This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.*. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. | ||||
| CVE-2024-25123 | 1 Open-mss | 1 Mission Support System | 2025-01-09 | 7.3 High |
| MSS (Mission Support System) is an open source package designed for planning atmospheric research flights. In file: `index.py`, there is a method that is vulnerable to path manipulation attack. By modifying file paths, an attacker can acquire sensitive information from different resources. The `filename` variable is joined with other variables to form a file path in `_file`. However, `filename` is a route parameter that can capture path type values i.e. values including slashes (\). So it is possible for an attacker to manipulate the file being read by assigning a value containing ../ to `filename` and so the attacker may be able to gain access to other files on the host filesystem. This issue has been addressed in MSS version 8.3.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-25620 | 2 Helm, Redhat | 4 Helm, Acm, Openshift and 1 more | 2025-01-09 | 6.4 Medium |
| Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies. | ||||
| CVE-2022-31474 | 1 Ithemes | 1 Backupbuddy | 2025-01-08 | 7.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1. | ||||