Total
7067 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-55415 | 2025-02-06 | 5.7 Medium | ||
| DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass. | ||||
| CVE-2023-29887 | 1 Nuovo | 1 Spreadsheet-reader | 2025-02-06 | 7.5 High |
| A Local File inclusion vulnerability in test.php in spreadsheet-reader 0.5.11 allows remote attackers to include arbitrary files via the File parameter. | ||||
| CVE-2024-53566 | 1 Sangoma | 1 Asterisk | 2025-02-06 | 5.5 Medium |
| An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal. | ||||
| CVE-2024-26150 | 1 Linuxfoundation | 1 Backstage Backend-common | 2025-02-05 | 8.7 High |
| `@backstage/backend-common` is a common functionality library for backends for Backstage, an open platform for building developer portals. In `@backstage/backend-common` prior to versions 0.21.1, 0.20.2, and 0.19.10, paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if symlinks can be injected by attackers. This issue is patched in `@backstage/backend-common` versions 0.21.1, 0.20.2, and 0.19.10. | ||||
| CVE-2023-1109 | 1 Phoenixcontact | 7 Energy Axc Pu, Infobox, Infobox Firmware and 4 more | 2025-02-05 | 8.8 High |
| In Phoenix Contacts ENERGY AXC PU Web service an authenticated restricted user of the web frontend can access, read, write and create files throughout the file system using specially crafted URLs via the upload and download functionality of the web service. This may lead to full control of the service. | ||||
| CVE-2023-32167 | 1 D-link | 1 D-view | 2025-02-05 | 6.5 Medium |
| D-Link D-View uploadMib Directory Traversal Arbitrary File Creation or Deletion Vulnerability. This vulnerability allows remote attackers to create and delete arbitrary files on affected installations of D-Link D-View. Authentication is required to exploit this vulnerability. The specific flaw exists within the uploadMib function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create or delete files in the context of SYSTEM. . Was ZDI-CAN-19529. | ||||
| CVE-2023-30548 | 1 Gatsbyjs | 1 Gatsby | 2025-02-05 | 4.3 Medium |
| gatsby-plugin-sharp is a plugin for the gatsby framework which exposes functions built on the Sharp image processing library. The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gatsby develop server (`gatsby develop`). It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. Attackers exploiting this vulnerability will have read access to all files within the scope of the server process. A patch has been introduced in gatsby-plugin-sharp@5.8.1 and gatsby-plugin-sharp@4.25.1 which mitigates the issue by ensuring that included paths remain within the project directory. As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability. Users are non the less encouraged to upgrade to a safe version. | ||||
| CVE-2022-0223 | 1 Schneider-electric | 1 Ecostruxure Power Commission | 2025-02-05 | 6.5 Medium |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause unauthenticated code execution. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22) | ||||
| CVE-2022-22731 | 1 Schneider-electric | 1 Ecostruxure Power Commission | 2025-02-05 | 6.5 Medium |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in a function that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause path traversal attacks. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22) | ||||
| CVE-2023-27981 | 1 Schneider-electric | 3 Custom Reports, Igss Dashboard, Igss Data Server | 2025-02-05 | 7.8 High |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory vulnerability exists in Custom Reports that could cause a remote code execution when a victim tries to open a malicious report. Affected Products: IGSS Data Server(IGSSdataServer.exe)(V16.0.0.23040 and prior), IGSS Dashboard(DashBoard.exe)(V16.0.0.23040 and prior), Custom Reports(RMS16.dll)(V16.0.0.23040 and prior). | ||||
| CVE-2023-3813 | 1 Artbees | 1 Jupiter X Core | 2025-02-05 | 7.5 High |
| The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file downloads in versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to download the contents of arbitrary files on the server, which can contain sensitive information. The requires the premium version of the plugin to be activated. | ||||
| CVE-2023-5414 | 1 Icegram | 1 Icegram Express | 2025-02-05 | 9.1 Critical |
| The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including those belonging to other sites, for example in shared hosting environments. | ||||
| CVE-2023-4274 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2025-02-05 | 8.7 High |
| The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 0.9.89. This allows authenticated attackers with administrative privileges to delete the contents of arbitrary directories on the server, which can be a critical issue in a shared environments. | ||||
| CVE-2023-28459 | 1 Pretalx | 1 Pretalx | 2025-02-05 | 6.5 Medium |
| pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files. | ||||
| CVE-2023-28458 | 1 Pretalx | 1 Pretalx | 2025-02-05 | 4.3 Medium |
| pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Organizers can trigger the overwriting (with the standard pretalx 404 page content) of an arbitrary file. | ||||
| CVE-2023-21093 | 1 Google | 1 Android | 2025-02-05 | 7.8 High |
| In extractRelativePath of FileUtils.java, there is a possible way to access files in a directory belonging to other applications due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-228450832 | ||||
| CVE-2024-38706 | 1 Hasthemes | 1 Ht Mega | 2025-02-05 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in HasThemes HT Mega allows Path Traversal.This issue affects HT Mega: from n/a through 2.5.7. | ||||
| CVE-2023-26101 | 1 Progress | 1 Flowmon Packet Investigator | 2025-02-05 | 7.5 High |
| In Progress Flowmon Packet Investigator before 12.1.0, a Flowmon user with access to Flowmon Packet Investigator could leverage a path-traversal vulnerability to retrieve files on the Flowmon appliance's local filesystem. | ||||
| CVE-2023-47679 | 1 Qodeinteractive | 1 Qi Addons For Elementor | 2025-02-05 | 6.4 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in QODE Interactive Qi Addons For Elementor allows PHP Local File Inclusion.This issue affects Qi Addons For Elementor: from n/a through 1.6.3. | ||||
| CVE-2024-13409 | 1 Wpwax | 1 Post Grid\, Slider \& Carousel Ultimate | 2025-02-05 | 7.5 High |
| The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' parameter of the post_type_ajax_handler() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||