Total
7067 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-39619 | 1 Cridio | 1 Listingpro | 2025-03-07 | 9 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio ListingPro allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through 2.9.3. | ||||
| CVE-2024-39624 | 1 Cridio | 1 Listingpro | 2025-03-07 | 8.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio ListingPro allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through 2.9.3. | ||||
| CVE-2024-39621 | 1 Cridio | 1 Listingpro | 2025-03-07 | 8 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio ListingPro allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through 2.9.3. | ||||
| CVE-2025-21095 | 2025-03-06 | 4.9 Medium | ||
| Path traversal may lead to arbitrary file download. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25. | ||||
| CVE-2020-5001 | 1 Ibm | 1 Financial Transaction Manager | 2025-03-06 | 4.3 Medium |
| IBM Financial Transaction Manager 3.2.0 through 3.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 192953. | ||||
| CVE-2024-13897 | 2025-03-06 | 6.5 Medium | ||
| The Moving Media Library plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the generate_json_page function in all versions up to, and including, 1.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2023-22336 | 1 Dos-osaka | 2 Rakuraku Pc Cloud Agent, Ss1 | 2025-03-06 | 9.8 Critical |
| Path traversal vulnerability in SS1 Ver.13.0.0.40 and earlier and Rakuraku PC Cloud Agent Ver.2.1.8 and earlier allows a remote attacker to upload a specially crafted file to an arbitrary directory. As a result of exploiting this vulnerability with CVE-2023-22335 and CVE-2023-22344 vulnerabilities together, it may allow a remote attacker to execute an arbitrary code with SYSTEM privileges by sending a specially crafted script to the affected device. | ||||
| CVE-2024-13894 | 2025-03-06 | N/A | ||
| Smartwares cameras CIP-37210AT and C724IP, as well as others which share the same firmware in versions up to 3.3.0, are vulnerable to path traversal. When an affected device is connected to a mobile app, it opens a port 10000 enabling a user to download pictures shot at specific moments by providing paths to the files. However, the directories to which a user has access are not limited, allowing for path traversal attacks and downloading sensitive information. The vendor has not replied to reports, so the patching status remains unknown. Newer firmware versions might be vulnerable as well. | ||||
| CVE-2024-51958 | 1 Esri | 1 Arcgis Server | 2025-03-06 | 4.9 Medium |
| There is a path traversal vulnerability in ESRI ArcGIS Server versions 10.9.1 thru 11.3. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality. | ||||
| CVE-2024-51966 | 1 Esri | 1 Arcgis Server | 2025-03-06 | 4.9 Medium |
| There is a path traversal vulnerability in ESRI ArcGIS Server versions 10.9.1 thru 11.3. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality. | ||||
| CVE-2025-1915 | 2025-03-06 | 8.1 High | ||
| Improper Limitation of a Pathname to a Restricted Directory in DevTools in Google Chrome on Windows prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) | ||||
| CVE-2023-26111 | 2 \@nubosoftware\/node-static Project, Node-static Project | 2 \@nubosoftware\/node-static, Node-static | 2025-03-05 | 7.5 High |
| All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function. | ||||
| CVE-2017-20181 | 1 Vocable Trainer Project | 1 Vocable Trainer | 2025-03-05 | 5.3 Medium |
| A vulnerability classified as critical was found in hgzojer Vocable Trainer up to 1.3.0 on Android. This vulnerability affects unknown code of the file src/at/hgz/vocabletrainer/VocableTrainerProvider.java. The manipulation leads to path traversal. Attacking locally is a requirement. Upgrading to version 1.3.1 is able to address this issue. The name of the patch is accf6838078f8eb105cfc7865aba5c705fb68426. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222328. | ||||
| CVE-2023-1112 | 1 Codedropz | 1 Drag And Drop Multiple File Upload - Contact Form 7 | 2025-03-05 | 4.7 Medium |
| A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument upload_name leads to relative path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222072. | ||||
| CVE-2023-26361 | 1 Adobe | 1 Coldfusion | 2025-03-05 | 4.9 Medium |
| Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges. | ||||
| CVE-2023-2913 | 1 Rockwellautomation | 1 Thinmanager | 2025-03-05 | 7.5 High |
| An executable used in Rockwell Automation ThinManager ThinServer can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables. | ||||
| CVE-2025-23416 | 2025-03-05 | 4.9 Medium | ||
| Path traversal may lead to arbitrary file deletion. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25. | ||||
| CVE-2025-24494 | 2025-03-05 | 7.2 High | ||
| Path traversal may allow remote code execution using privileged account (requires device admin account, cannot be performed by a regular user). In combination with the 'Upload' functionality this could be used to execute an arbitrary script or possibly an uploaded binary. Remediation in Version 6.7.0, release date: 20-Oct-24. | ||||
| CVE-2024-53676 | 1 Hpe | 1 Insight Remote Support | 2025-03-05 | 9.8 Critical |
| A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution. | ||||
| CVE-2024-39903 | 1 Widgetti | 1 Solara | 2025-03-05 | 8.6 High |
| Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system. | ||||