Total
7067 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-22006 | 4 Debian, Netapp, Oracle and 1 more | 16 Debian Linux, 7-mode Transition Tool, Active Iq Unified Manager and 13 more | 2025-02-13 | 3.1 Low |
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). | ||||
| CVE-2023-1183 | 3 Fedoraproject, Libreoffice, Redhat | 3 Fedora, Libreoffice, Enterprise Linux | 2025-02-13 | 5 Medium |
| A flaw was found in the Libreoffice package. An attacker can craft an odb containing a "database/script" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker. | ||||
| CVE-2022-47027 | 1 Timmystudios | 1 Fast Typing Keyboard | 2025-02-13 | 9.8 Critical |
| Timmystudios Fast Typing Keyboard v1.275.1.162 allows unauthorized apps to overwrite arbitrary files in its internal storage via a dictionary traversal vulnerability and achieve arbitrary code execution. | ||||
| CVE-2022-37681 | 1 Hitachi | 2 Hc-ip9100hd, Hc-ip9100hd Firmware | 2025-02-13 | 7.5 High |
| Hitachi Kokusai Electric Newtork products for monitoring system (Camera, Decoder and Encoder) and below allows attckers to perform a directory traversal via a crafted GET request to the endpoint /ptippage.cgi. Security information ID hitachi-sec-2022-001 contains fixes for the issue. | ||||
| CVE-2020-9479 | 1 Apache | 1 Asterixdb | 2025-02-13 | 5.5 Medium |
| When loading a UDF, a specially crafted zip file could allow files to be placed outside of the UDF deployment directory. This issue affected Apache AsterixDB unreleased builds between commits 580b81aa5e8888b8e1b0620521a1c9680e54df73 and 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d. Note: this CVE may be REJECTed as the issue did not affect any released versions of Apache AsterixDB | ||||
| CVE-2020-17518 | 2 Apache, Redhat | 4 Flink, Camel Quarkus, Integration and 1 more | 2025-02-13 | 7.5 High |
| Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master. | ||||
| CVE-2020-15858 | 1 Thalesgroup | 18 Bgs5, Bgs5 Firmware, Ehs5 and 15 more | 2025-02-13 | 6.2 Medium |
| Some devices of Thales DIS (formerly Gemalto, formerly Cinterion) allow Directory Traversal by physically proximate attackers. The directory path access check of the internal flash file system can be circumvented. This flash file system can store application-specific data and data needed for customer Java applications, TLS and OTAP (Java over-the-air-provisioning) functionality. The affected products and releases are: BGS5 up to and including SW RN 02.000 / ARN 01.001.06 EHSx and PDSx up to and including SW RN 04.003 / ARN 01.000.04 ELS61 up to and including SW RN 02.002 / ARN 01.000.04 ELS81 up to and including SW RN 05.002 / ARN 01.000.04 PLS62 up to and including SW RN 02.000 / ARN 01.000.04 | ||||
| CVE-2020-13924 | 1 Apache | 1 Ambari | 2025-02-13 | 7.5 High |
| In Apache Ambari versions 2.6.2.2 and earlier, malicious users can construct file names for directory traversal and traverse to other directories to download files. | ||||
| CVE-2023-25305 | 1 Polymc | 1 Polymc | 2025-02-13 | 7.1 High |
| PolyMC Launcher <= 1.4.3 is vulnerable to Directory Traversal. A mrpack file can be maliciously crafted to create arbitrary files outside of the installation directory. | ||||
| CVE-2023-25303 | 1 Atlauncher | 1 Atlauncher | 2025-02-13 | 7.1 High |
| ATLauncher <= 3.4.26.0 is vulnerable to Directory Traversal. A mrpack file can be maliciously crafted to create arbitrary files outside of the installation directory. | ||||
| CVE-2024-2362 | 3 Linux, Lollms, Microsoft | 3 Linux Kernel, Lollms Web Ui, Windows | 2025-02-13 | 9.1 Critical |
| A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del_preset' endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences ('..'). As a result, an attacker can send a specially crafted request to the 'del_preset' endpoint to delete files outside of the intended directory. | ||||
| CVE-2024-36795 | 2025-02-13 | 4.0 Medium | ||
| Insecure permissions in Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 allows attackers to access URLs and directories embedded within the firmware via unspecified vectors. | ||||
| CVE-2024-36079 | 1 Vaultize | 1 Drm | 2025-02-13 | 6.5 Medium |
| An issue was discovered in Vaultize 21.07.27. When uploading files, there is no check that the filename parameter is correct. As a result, a temporary file will be created outside the specified directory when the file is downloaded. To exploit this, an authenticated user would upload a file with an incorrect file name, and then download it. | ||||
| CVE-2024-35429 | 1 Zkteco | 1 Zkbio Cvsecurity | 2025-02-13 | 6.5 Medium |
| ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord. | ||||
| CVE-2024-47266 | 2025-02-13 | 2.7 Low | ||
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in share file list functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to read specific files containing non-sensitive information via unspecified vectors. | ||||
| CVE-2024-35324 | 2025-02-13 | 9.8 Critical | ||
| Douchat 4.0.5 suffers from an arbitrary file upload vulnerability via Public/Plugins/webuploader/server/preview.php. | ||||
| CVE-2024-35205 | 1 Kingsoft | 1 Wps Office | 2025-02-13 | 7.8 High |
| The WPS Office (aka cn.wps.moffice_eng) application before 17.0.0 for Android fails to properly sanitize file names before processing them through external application interactions, leading to a form of path traversal. This potentially enables any application to dispatch a crafted library file, aiming to overwrite an existing native library utilized by WPS Office. Successful exploitation could result in the execution of arbitrary commands under the guise of WPS Office's application ID. | ||||
| CVE-2024-35081 | 1 Luckyframe | 1 Luckyframeweb | 2025-02-13 | 7.5 High |
| LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary file deletion vulnerability via the fileName parameter in the fileDownload method. | ||||
| CVE-2024-34854 | 1 F-logic | 1 Datacube3 | 2025-02-13 | 9.8 Critical |
| F-logic DataCube3 v1.0 is vulnerable to File Upload via `/admin/transceiver_schedule.php.` | ||||
| CVE-2024-34832 | 1 Cubecart | 1 Cubecart | 2025-02-13 | 9.8 Critical |
| Directory Traversal vulnerability in CubeCart v.6.5.5 and before allows an attacker to execute arbitrary code via a crafted file uploaded to the _g and node parameters. | ||||