Total
7067 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-35598 | 1 Advanced Comment System Project | 1 Advanced Comment System | 2024-11-21 | 7.5 High |
| ACS Advanced Comment System 1.0 is affected by Directory Traversal via an advanced_component_system/index.php?ACS_path=..%2f URI. NOTE: this might be the same as CVE-2009-4623 | ||||
| CVE-2020-35580 | 1 Searchblox | 1 Searchblox | 2024-11-21 | 7.5 High |
| A local file inclusion vulnerability in the FileServlet in all SearchBlox before 9.2.2 allows remote, unauthenticated users to read arbitrary files from the operating system via a /searchblox/servlet/FileServlet?col=url= request. Additionally, this may be used to read the contents of the SearchBlox configuration file (e.g., searchblox/WEB-INF/config.xml), which contains both the Super Admin's API key and the base64 encoded SHA1 password hashes of other SearchBlox users. | ||||
| CVE-2020-35460 | 2 Mpxj, Oracle | 2 Mpxj, Primavera Unifier | 2024-11-21 | 5.3 Medium |
| common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations. | ||||
| CVE-2020-35370 | 1 Raysync | 1 Raysync | 2024-11-21 | 8.8 High |
| A RCE vulnerability exists in Raysync below 3.3.3.8. An unauthenticated unauthorized attacker sending a specifically crafted request to override the specific file in server with malicious content can login as "admin", then to modify specific shell file to achieve remote code execution(RCE) on the hosting server. | ||||
| CVE-2020-35362 | 1 Dext5 | 1 Dext5upload | 2024-11-21 | 7.5 High |
| DEXT5Upload 2.7.1262310 and earlier is affected by Directory Traversal in handler/dext5handler.jsp. This could allow remote files to be downloaded via a dext5CMD=downloadRequest action with traversal in the fileVirtualPath parameter (the attacker must provide the correct fileOrgName value). | ||||
| CVE-2020-35284 | 1 Flamingoim Project | 1 Flamingoim | 2024-11-21 | 7.5 High |
| Flamingo (aka FlamingoIM) through 2020-09-29 allows ../ directory traversal because the only ostensibly unpredictable part of a file-transfer request is an MD5 computation; however, this computation occurs on the client side, and the computation details can be easily determined because the product's source code is available. | ||||
| CVE-2020-35176 | 3 Awstats, Debian, Fedoraproject | 3 Awstats, Debian Linux, Fedora | 2024-11-21 | 5.3 Medium |
| In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. | ||||
| CVE-2020-2504 | 1 Qnap | 1 Qes | 2024-11-21 | 5.8 Medium |
| If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later. | ||||
| CVE-2020-2278 | 1 Jenkins | 1 Storable Configs | 2024-11-21 | 6.5 Medium |
| Jenkins Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job config.xml file's content. | ||||
| CVE-2020-2277 | 1 Jenkins | 1 Storable Configs | 2024-11-21 | 6.5 Medium |
| Jenkins Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller. | ||||
| CVE-2020-2275 | 1 Jenkins | 1 Copy Data To Workspace | 2024-11-21 | 6.5 Medium |
| Jenkins Copy data to workspace Plugin 1.0 and earlier does not limit which directories can be copied from the Jenkins controller to job workspaces, allowing attackers with Job/Configure permission to read arbitrary files on the Jenkins controller. | ||||
| CVE-2020-2254 | 2 Jenkins, Redhat | 2 Blue Ocean, Openshift | 2024-11-21 | 6.5 Medium |
| Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system. | ||||
| CVE-2020-2139 | 1 Jenkins | 1 Cobertura | 2024-11-21 | 6.5 Medium |
| An arbitrary file write vulnerability in Jenkins Cobertura Plugin 1.15 and earlier allows attackers able to control the coverage report file contents to overwrite any file on the Jenkins master file system. | ||||
| CVE-2020-29600 | 3 Awstats, Debian, Fedoraproject | 3 Awstats, Debian Linux, Fedora | 2024-11-21 | 9.8 Critical |
| In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501. | ||||
| CVE-2020-29556 | 1 Getgrav | 1 Grav Cms | 2024-11-21 | 5.5 Medium |
| The Backup functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to read arbitrary local files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.) | ||||
| CVE-2020-29555 | 1 Getgrav | 1 Grav Cms | 2024-11-21 | 8.1 High |
| The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.) | ||||
| CVE-2020-29529 | 2 Hashicorp, Redhat | 2 Go-slug, Acm | 2024-11-21 | 7.5 High |
| HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed in 0.5.0. | ||||
| CVE-2020-29495 | 1 Dell | 2 Emc Avamar Server, Emc Integrated Data Protection Appliance | 2024-11-21 | 10 Critical |
| DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain an OS Command Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS with high privileges. This vulnerability is considered critical as it can be leveraged to completely compromise the vulnerable application as well as the underlying operating system. Dell recommends customers to upgrade at the earliest opportunity. | ||||
| CVE-2020-29494 | 1 Dell | 2 Emc Avamar Server, Emc Integrated Data Protection Appliance | 2024-11-21 | 8.7 High |
| Dell EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a Path Traversal Vulnerability in PDM. A remote user could potentially exploit this vulnerability, to gain unauthorized write access to the arbitrary files stored on the server filesystem, causing deletion of arbitrary files. | ||||
| CVE-2020-29453 | 1 Atlassian | 3 Data Center, Jira Data Center, Jira Server | 2024-11-21 | 5.3 Medium |
| The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check. | ||||