CWE:
 

Tytuł
Data
Autor
Med.
Apache Flink 1.11.0 Arbitrary File Read / Directory Traversal
08.01.2021
SunCSR
Med.
Responsive FileManager 9.13.4 Path Traversal
05.01.2021
SunCSR
Med.
WordPress Duplicator 1.3.26 Directory Traversal / File Read
03.01.2021
Hoa Nguyen
Med.
Rocket.Chat Path Traversal
23.12.2020
Moe Szyslak
Med.
Cisco ASA 9.14.1.10 / FTD 6.6.0.1 Path Traversal
15.12.2020
Freakyclown
Low
Advanced Component System (ACS) 1.0 Path Traversal
13.12.2020
Francisco Javier Santi...
Low
Huawei HedEx Lite (DM) Path Traversal
04.12.2020
S.AbenMassaoud
High
Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
04.12.2020
LiquidWorm
High
TestBox CFML Test Framework 4.1.0 Directory Traversal
21.11.2020
Darren King
Med.
PMB 5.6 Local File Disclosure / Directory Traversal
16.11.2020
41-trk
Med.
SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities
13.11.2020
h4shur
Med.
ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure
05.11.2020
LiquidWorm
High
HiSilicon Video Encoder 1.97 File Disclosure / Path Traversal
19.10.2020
Alexei Kojenov
Med.
ReQuest Serious Play Media Player 3.0 File Disclosure / Path Traversal
19.10.2020
LiquidWorm
Med.
Cisco ASA and FTD 9.6.4.42 Path Traversal
14.10.2020
3ndG4me
High
Garfield Petshop 2020-10-01 Cross Site Request Forgery
09.10.2020
Ramdan Yantu
Med.
Karel IP Phone IP1211 Web Management Panel Directory Traversal
07.10.2020
Berat Gokberk ISLER
Med.
Ruijie Networks Switch eWeb S29_RGOS 11.4 Directory Traversal
20.08.2020
Tuygun
Med.
October CMS <= Build 465 Multiple Vulnerabilities
03.08.2020
Sivanesh Ashok
Med.
Files 4 Client Pro - Easy File Transfer v1.2.2 - Path Traversal
30.07.2020
Vlad Vector
Med.
Bludit 3.9.2 Directory Traversal
30.07.2020
James Green
Med.
Zyxel Armor X1 WAP6806 Directory Traversal
15.07.2020
Rajivarnan R
High
ATutor 2.2.4 Directory Traversal / Remote Code Execution
01.07.2020
liquidsky
Med.
Zyxel Armor X1 Model:WAP6806 - Directory Traversal
30.06.2020
Rajivarnan R
Med.
Cisco AnyConnect Path Traversal / Privilege Escalation
25.06.2020
Yorick Koster
Med.
OpenCTI 3.3.1 Cross Site Scripting / Directory Traversal
18.06.2020
Raif Berkay Dincel
Med.
MJML 4.6.2 Path Traversal
17.06.2020
Julien Ahrens
Med.
Navigate CMS 2.8.7 Authenticated Directory Traversal
10.06.2020
Gus Ralph
Med.
photobucket Library Slideshow - Remote File Inclusion
24.05.2020
h4shur
High
ManageEngine DataSecurity Plus Path Traversal / Code Execution
12.05.2020
Sahil Dhar
Med.
Booked Scheduler 2.7.7 Directory Traversal
09.05.2020
Besim Altinok
High
SimplePHPGal 0.7 Remote File Inclusion
06.05.2020
h4shur
Med.
Zen Load Balancer 3.10.1 Directory Traversal (Metasploit)
02.05.2020
Dhiraj Mishra
High
Gigamon GigaVUE 5.5.01.11 Directory Traversal / File Upload
30.04.2020
Balazs Hambalko
Med.
Easy Transfer 1.7 Cross Site Scripting / Directory Traversal
28.04.2020
Benjamin Kunz Mejri
Med.
Sky File 2.1.0 Cross Site Scripting / Directory Traversal
21.04.2020
Benjamin Kunz Mejri
Low
QRadar Community Edition 7.3.1.6 Path Traversal
21.04.2020
Yorick Koster
Med.
Zen Load Balancer 3.10.1 Directory Traversal
11.04.2020
Basim Alabdullah
Med.
LimeSurvey 4.1.11 File Manager Path Traversal
06.04.2020
Matthew Aberegg, Micha...
Med.
Joomla Fabrik 3.9.11 Directory Traversal
30.03.2020
qw3rTyTy
Med.
Jinfornet Jreport 15.6 Directory Traversal
27.03.2020
hongphukt
Med.
FIBARO System Home Center 5.021 Remote File Inclusion / XSS
24.03.2020
LiquidWorm
Med.
VMware Fusion Local Privilege Escalation / Directory Traversal
21.03.2020
Grimm
Med.
PHPKB Multi-Language 9 Authenticated Directory Traversal
16.03.2020
Antonio Cannito
Med.
Creative Contact Form 4.6.2 Directory Traversal
09.03.2020
Wolfgang Hotwagner
High
Apache ActiveMQ 5.11.1 Directory Traversal / Shell Upload
08.03.2020
David Jorm
Med.
Pachev FTP Server 1.0 Path Traversal
23.01.2020
1F98D
Med.
Citrix ADC / Gateway Path Traversal
17.01.2020
Mishra Dhiraj
Med.
Huawei HG255 Directory Traversal
16.01.2020
Ismail Tasdelen
Med.
Citrix ADC (NetScaler) Directory Traversal / Remote Code Execution
15.01.2020
Ramella Sebastien
Med.
piSignage 2.6.4 Directory Traversal
08.01.2020
JunYeong Ko
Med.
Voyager 1.3.0 Directory Traversal
07.01.2020
NgoAnhDuc
Med.
IBM InfoPrint 4247-Z03 Impact Matrix Printer Directory Traversal
01.01.2020
Raif Berkay Dincel
Med.
Bullwark Momentum Series JAWS 1.0 Directory Traversal
13.12.2019
Numan Türle
High
Bludit Directory Traversal Image File Upload (Metasploit)
04.12.2019
Anonymous
Med.
SALTO ProAccess SPACE 5.5 Traversal / File Write / XSS / Bypass
03.12.2019
W. Schober
Med.
Crystal Live HTTP Server 6.01 Directory Traversal
19.11.2019
numan turle
Med.
Lexmark Services Monitor 2.27.4.0.39 Directory Traversal
19.11.2019
Kevin Randall
Med.
gSOAP 2.8 Directory Traversal
14.11.2019
numan turle
High
Bludit Directory Traversal Image File Upload
13.11.2019
sinn3r
Med.
Jira Service Desk Server / Data Center Path Traversal
10.11.2019
Atlassian
High
Nostromo Directory Traversal Remote Command Execution (Metasploit)
04.11.2019
Quentin Kaiser
High
Nostromo 1.9.6 Directory Traversal / Remote Command Execution
01.11.2019
Quentin Kaiser
Med.
WordPress Arforms 3.7.1 Directory Traversal
27.10.2019
Ahmad Almorabea
High
Generic Zip Slip Traversal
12.09.2019
sinn3r
Med.
Tibco JasperSoft Path Traversal
10.09.2019
Elar Lang
Med.
Totaljs CMS 12.0 Path Traversal
05.09.2019
Riccardo Krauter
Med.
Nimble Streamer 3.0.2-2 < 3.5.4-9 Directory Traversal
23.08.2019
MAYASEVEN
High
Cisco Adaptive Security Appliance Path Traversal (Metasploit)
13.08.2019
Anonymous
High
Veritas Resiliency Platform (VRP) Traversal / Command Execution
01.08.2019
David Dillard
Med.
Sahi pro 8.x Directory Traversal
12.07.2019
Alexander Bluestein
Med.
GrandNode 4.40 Path Traversal / File Download
25.06.2019
Corey Robinson
Med.
ABB IDAL FTP Server Path Traversal
25.06.2019
Eldar Marcussen
Med.
Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal
20.06.2019
mr_me
Med.
Sahi Pro 7.x / 8.x Directory Traversal
19.06.2019
Goutham Madhwaraj
Med.
BlogEngine.NET 3.3.7 Directory Traversal / Remote Code Execution
19.06.2019
Aaron Bishop
High
Supra Smart Cloud TV Remote File Inclusion
06.06.2019
Mishra Dhiraj
Med.
Typora 0.9.9.24.6 Directory Traversal
29.05.2019
Mishra Dhiraj
Med.
Moodle Jmol Filter 6.1 Directory Traversal / Cross-Site Scripting
21.05.2019
Dionach Ltd
Med.
NetNumber Titan ENUM/DNS/NP 7.9.1 Bypass / Traversal
11.05.2019
MobileNetworkSecurity
Med.
Spring Cloud Config 2.1.x Path Traversal
01.05.2019
Mishra Dhiraj
Med.
Joomla Core 1.5.0 3.9.4 Directory Traversal / Authenticated Arbitrary File Deletion
23.04.2019
Haboob Team
High
Oracle Business Intelligence Directory Traversal
21.04.2019
Vahagn Vardanyan
Med.
Evernote 7.9 Path Traversal / Code Execution
19.04.2019
Mishra Dhiraj
Med.
Joomla 3.9.4 Arbitrary File Deletion / Directory Traversal
17.04.2019
Haboob Team
Med.
Titan FTP Server 2019 Build 3505 Directory Traversal
27.03.2019
Kevin Randall
Med.
CoreFTP Server FTP / SFTP Server 2 Build 674 MDTM Directory Traversal
13.03.2019
Kevin Randall
Med.
MarcomCentral FusionPro VDP Creator Directory Traversal
05.03.2019
0v3rride
Med.
Micro Focus Filr 3.4.0.217 Path Traversal / Privilege Escalation
22.02.2019
Leandro Cuozzo
High
SureMDM Local / Remote File Inclusion
02.02.2019
Digital Interruption
Med.
GL-AR300M-Lite 2.2.7 Command Injection / Directory Traversal
17.01.2019
Pasquale Turi
Med.
Aspose.ZIP For .NET Path Traversal
10.01.2019
Jaroslav Lobacevski
High
Roxy Fileman 1.4.5 File Upload / Directory Traversal
08.01.2019
Pongtorn Angsuchotmete...
Med.
Transcend Wi-Fi SD Card Cross Site Request Forgery / Traversal
18.12.2018
MustLive
Low
Responsive FileManager 9.13.4 XSS / File Manipulation / Traversal
15.12.2018
farisv
Med.
Zyxel VMG1312-B10D 5.13AAXA.8 Directory Traversal
26.11.2018
x-hayben21
High
D-Link Plain-Text Password Storage / Code Execution / Directory Traversal
19.10.2018
Blazej Adamczyk
Med.
Citrix StorageZones Controller Improper Access Restrictions / Traversal
27.09.2018
Wolfgang Ettlinger
Med.
Rubedo CMS 3.4.0 Directory Traversal
12.09.2018
Marouene Boubakri
Med.
Softneta MedDream PACS Server Premium 6.7.1.1 Directory Traversal
08.09.2018
Carlos Avila


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2021-01-15
Waiting for details
CVE-2021-21251

Updating...
 

 
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library method leveraging Apache Commons Compress. During the untar process, there are no checks in place to prevent an untarred file from traversing the file system and overriding an existing file. For a successful exploitation, the attacker requires a valid __JobToken__ which may not be possible to get without using any of the other reported vulnerabilities. But this should be considered a vulnerability in `io.onedev.commons.utils.TarUtils` since it lives in a different artifact and can affect other projects using it. This issue was addressed in 4.0.3 by validating paths in tar archive to only allow them to be in specified folder when extracted.

 
2021-01-13
Medium
CVE-2020-28374

Vendor: Linux
Software: Linux kernel
 

 
In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore.

 
2021-01-08
High
CVE-2020-5804

Vendor: Marvell
Software: Qconvergecon...
 

 
Marvell QConvergeConsole GUI <= 5.5.0.74 is affected by a path traversal vulnerability. The deleteEventLogFile method of the GWTTestServiceImpl class lacks proper validation of a user-supplied path prior to using it in file deletion operations. An authenticated, remote attacker can leverage this vulnerability to delete arbitrary remote files as SYSTEM or root.

 
2021-01-07
Medium
CVE-2020-13449

Vendor: Thecodingmachine
Software: Gotenberg
 

 
A directory traversal vulnerability in the Markdown engine of Gotenberg through 6.2.1 allows an attacker to read any container files.

 
Medium
CVE-2020-13450

Vendor: Thecodingmachine
Software: Gotenberg
 

 
A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite any writable files outside the intended folder. This can lead to DoS, a change to program behavior, or code execution.

 
Medium
CVE-2021-23241

Updating...
 

 
MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI.

 
Medium
CVE-2021-23242

Updating...
 

 
MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ to the UPnP server, as demonstrated by the /../../conf/template/uhttpd.json URI.

 
2021-01-05
Medium
CVE-2021-3019

Vendor: Lanproxy project
Software: Lanproxy
 

 
ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.properties to obtain credentials for a connection to the intranet.

 
Medium
CVE-2020-17518

Vendor: Apache
Software: Flink
 

 
Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

 
Low
CVE-2021-21234

Vendor: Spring-boot-actuator-logview project
Software: Spring-boot-...
 

 
spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy.

 

 


Copyright 2021, cxsecurity.com

 

Back to Top