Total
7645 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-25634 | 1 Qt | 1 Qt | 2024-11-21 | 7.5 High |
| Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. | ||||
| CVE-2022-25591 | 1 Blogengine | 1 Blogengine.net | 2024-11-21 | 9.1 Critical |
| BlogEngine.NET v3.3.8.0 was discovered to contain an arbitrary file deletion vulnerability which allows attackers to delete files within the web server root directory via a crafted HTTP request. | ||||
| CVE-2022-25412 | 1 Max-3000 | 1 Maxsite Cms | 2024-11-21 | 8.1 High |
| Maxsite CMS v180 was discovered to contain multiple arbitrary file deletion vulnerabilities in /admin_page/all-files-update-ajax.php via the dir and deletefile parameters. | ||||
| CVE-2022-25371 | 1 Apache | 1 Ofbiz | 2024-11-21 | 9.8 Critical |
| Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier. | ||||
| CVE-2022-25358 | 1 Awful-salmonella-tar Project | 1 Awful-salmonella-tar | 2024-11-21 | 5.3 Medium |
| A ..%2F path traversal vulnerability exists in the path handler of awful-salmonella-tar before 0.0.4. Attackers can only list directories (not read files). This occurs because the safe-path? Scheme predicate is not used for directories. | ||||
| CVE-2022-25298 | 1 Webcc Project | 1 Webcc | 2024-11-21 | 7.5 High |
| This affects the package sprinfall/webcc before 0.3.0. It is possible to traverse directories to fetch arbitrary files from the server. | ||||
| CVE-2022-25267 | 1 Passwork | 1 Passwork | 2024-11-21 | 8.8 High |
| Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files). | ||||
| CVE-2022-25266 | 1 Passwork | 1 Passwork | 2024-11-21 | 4.3 Medium |
| Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files). | ||||
| CVE-2022-25216 | 1 Dvdfab | 2 12 Player, Playerfab | 2024-11-21 | 7.5 High |
| An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>. | ||||
| CVE-2022-25188 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.3 Medium |
| Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker. | ||||
| CVE-2022-25178 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-11-21 | 6.5 Medium |
| Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system. | ||||
| CVE-2022-25046 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 9.8 Critical |
| A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | ||||
| CVE-2022-24992 | 1 Qr Code Generator Project | 1 Qr Code Generator | 2024-11-21 | 7.5 High |
| A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal. | ||||
| CVE-2022-24983 | 1 Jqueryform | 1 Jqueryform | 2024-11-21 | 7.5 High |
| Forms generated by JQueryForm.com before 2022-02-05 allow remote attackers to obtain the URI to any uploaded file by capturing the POST response. When chained with CVE-2022-24984, this could lead to unauthenticated remote code execution on the underlying web server. This occurs because the Unique ID field is contained in the POST response upon submitting a form. | ||||
| CVE-2022-24977 | 1 Impresscms | 1 Impresscms | 2024-11-21 | 9.8 Critical |
| ImpressCMS before 1.4.2 allows unauthenticated remote code execution via ...../// directory traversal in origName or imageName, leading to unsafe interaction with the CKEditor processImage.php script. The payload may be placed in PHP_SESSION_UPLOAD_PROGRESS when the PHP installation supports upload_progress. | ||||
| CVE-2022-24659 | 1 Goldshell | 1 Goldshell Miner Firmware | 2024-11-21 | 7.5 High |
| Goldshell ASIC Miners v2.2.1 and below was discovered to contain a path traversal vulnerability which allows unauthenticated attackers to retrieve arbitrary files from the device. | ||||
| CVE-2022-24647 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | 8.1 High |
| Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function. | ||||
| CVE-2022-24424 | 1 Dell | 1 Emc Appsync | 2024-11-21 | 7.5 High |
| Dell EMC AppSync versions from 3.9 to 4.3 contain a path traversal vulnerability in AppSync server. A remote unauthenticated attacker may potentially exploit this vulnerability to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application. | ||||
| CVE-2022-24348 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2024-11-21 | 7.7 High |
| Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file. | ||||
| CVE-2022-24312 | 1 Schneider-electric | 1 Interactive Graphical Scada System Data Server | 2024-11-21 | 9.8 Critical |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists that could cause modification of an existing file by adding at end of file or create a new file in the context of the Data Server potentially leading to remote code execution when an attacker sends a specially crafted message. Affected Product: Interactive Graphical SCADA System Data Server (V15.0.0.22020 and prior) | ||||