Total
7656 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6190 | 1 Ikcu | 1 University Information Management System | 2024-11-27 | 9.8 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in İzmir Katip Çelebi University University Information Management System allows Absolute Path Traversal.This issue affects University Information Management System: before 30.11.2023. | ||||
| CVE-2024-53844 | 2024-11-26 | 6.3 Medium | ||
| E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to connect and manage LLM API bots. A path traversal vulnerability exists in the backup export functionality of EDDI, as implemented in `RestExportService.java`. This vulnerability allows an attacker to access sensitive files on the server by manipulating the `botFilename` parameter in requests. The application fails to sanitize user input, enabling malicious inputs such as `..%2f..%2fetc%2fpasswd` to access arbitrary files. However, the **severity of this vulnerability is significantly limited** because EDDI typically runs within a **Docker container**, which provides additional layers of isolation and restricted permissions. As a result, while this vulnerability exposes files within the container, it does not inherently threaten the underlying host system or other containers. A patch is required to sanitize and validate the botFilename input parameter. Users should ensure they are using version 5.4 which contains this patdch. For temporary mitigation, access to the vulnerable endpoint should be restricted through firewall rules or authentication mechanisms. | ||||
| CVE-2023-34598 | 1 Gibbonedu | 1 Gibbon | 2024-11-26 | 9.8 Critical |
| Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response. | ||||
| CVE-2024-10803 | 1 Fwdesign | 1 Mp3 Sticky Player | 2024-11-26 | 7.5 High |
| The MP3 Sticky Player plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.0 via the content/downloader.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Please note the vendor released the patched version as the same version as the affected version. | ||||
| CVE-2023-20220 | 1 Cisco | 2 Firepower Management Center, Secure Firewall Management Center | 2024-11-26 | 7.2 High |
| Multiple vulnerabilities in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system. To exploit these vulnerabilities, the attacker must have valid device credentials, but does not need Administrator privileges. These vulnerabilities are due to insufficient validation of user-supplied input for certain configuration options. An attacker could exploit these vulnerabilities by using crafted input within the device configuration GUI. A successful exploit could allow the attacker to execute arbitrary commands on the device, including on the underlying operating system, which could also affect the availability of the device. | ||||
| CVE-2020-3550 | 1 Cisco | 2 Firepower Threat Defense, Secure Firewall Management Center | 2024-11-26 | 8.1 High |
| A vulnerability in the sfmgr daemon of Cisco Firepower Management Center (FMC) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to perform directory traversal and access directories outside the restricted path. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by using a relative path in specific sfmgr commands. An exploit could allow the attacker to read or write arbitrary files on an sftunnel-connected peer device. | ||||
| CVE-2024-20379 | 1 Cisco | 2 Firepower Management Center, Secure Firewall Management Center | 2024-11-26 | 6.5 Medium |
| A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system of the affected device. The attacker would need valid user credentials to exploit this vulnerability. | ||||
| CVE-2019-12691 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | 4.9 Medium |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to perform a directory traversal attack on an affected device. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass Cisco FMC Software security restrictions and gain access to the underlying filesystem of the affected device. | ||||
| CVE-2023-33411 | 1 Supermicro | 724 B12dpe-6, B12dpe-6 Firmware, B12dpt-6 and 721 more | 2024-11-26 | 7.5 High |
| A web server in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions up to 3.17.02, allows remote unauthenticated users to perform directory traversal, potentially disclosing sensitive information. | ||||
| CVE-2018-0426 | 1 Cisco | 6 Rv110w Firmware, Rv110w Wireless-n Vpn Firewall, Rv130w and 3 more | 2024-11-26 | N/A |
| A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to the targeted device. A successful exploit could allow the attacker to gain access to arbitrary files on the affected device, resulting in the disclosure of sensitive information. | ||||
| CVE-2018-0464 | 1 Cisco | 1 Prime Data Center Network Manager | 2024-11-26 | N/A |
| A vulnerability in Cisco Data Center Network Manager software could allow an authenticated, remote attacker to conduct directory traversal attacks and gain access to sensitive files on the targeted system. The vulnerability is due to improper validation of user requests within the management interface. An attacker could exploit this vulnerability by sending malicious requests containing directory traversal character sequences within the management interface. An exploit could allow the attacker to view or create arbitrary files on the targeted system. | ||||
| CVE-2018-0405 | 1 Cisco | 4 Rv180w, Rv180w Firmware, Rv220w and 1 more | 2024-11-26 | N/A |
| A vulnerability in the web framework code for Cisco RV180W Wireless-N Multifunction VPN Router and Small Business RV Series RV220W Wireless Network Security Firewall could allow an unauthenticated, remote attacker to conduct a directory path traversal attack on a targeted device. The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. | ||||
| CVE-2018-0420 | 1 Cisco | 1 Wireless Lan Controller Software | 2024-11-26 | 6.5 Medium |
| A vulnerability in the web-based interface of Cisco Wireless LAN Controller Software could allow an authenticated, remote attacker to view sensitive information. The issue is due to improper sanitization of user-supplied input in HTTP request parameters that describe filenames and pathnames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. A successful exploit could allow the attacker to view system files on the targeted device, which may contain sensitive information. | ||||
| CVE-2018-15450 | 1 Cisco | 1 Prime Collaboration | 2024-11-26 | 6.5 Medium |
| A vulnerability in the web-based UI of Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to overwrite files on the file system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by using a specific UI input field to provide a custom path location. A successful exploit could allow the attacker to overwrite files on the file system. | ||||
| CVE-2023-26293 | 1 Siemens | 1 Tia Portal | 2024-11-25 | 7.3 High |
| A vulnerability has been identified in Totally Integrated Automation Portal (TIA Portal) V15 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions < V16 Update 7), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 6), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 1). Affected products contain a path traversal vulnerability that could allow the creation or overwrite of arbitrary files in the engineering system. If the user is tricked to open a malicious PC system configuration file, an attacker could exploit this vulnerability to achieve arbitrary code execution. | ||||
| CVE-2024-23787 | 1 Sharp | 4 Jh-rv11, Jh-rv11 Firmware, Jh-rvb1 and 1 more | 2024-11-25 | 6.5 Medium |
| Path traversal vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to obtain an arbitrary file in the affected product. | ||||
| CVE-2024-10220 | 1 Kubernetes | 1 Kubelet | 2024-11-25 | 8.1 High |
| The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2. | ||||
| CVE-2020-36651 | 1 Nodeserver Project | 1 Nodeserver | 2024-11-25 | 5.5 Medium |
| A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of the file nodeserver.js. The manipulation leads to path traversal. The identifier of the patch is c4c0f0138ab5afbac58e03915d446680421bde28. It is recommended to apply a patch to fix this issue. The identifier VDB-218461 was assigned to this vulnerability. | ||||
| CVE-2024-30851 | 2024-11-25 | 6.5 Medium | ||
| Directory Traversal vulnerability in codesiddhant Jasmin Ransomware v.1.0.1 allows an attacker to obtain sensitive information via the download_file.php component. | ||||
| CVE-2024-7340 | 1 Weights \& Biases | 1 Weave | 2024-11-25 | 8.8 High |
| The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin. | ||||