Total
7067 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30380 | 1 Dedecms | 1 Dedecms | 2025-01-31 | 7.5 High |
| An issue in the component /dialog/select_media.php of DedeCMS v5.7.107 allows attackers to execute a directory traversal. | ||||
| CVE-2023-26243 | 1 Hyundai | 2 Gen5w L In-vehicle Infotainment System, Gen5w L In-vehicle Infotainment System Firmware | 2025-01-31 | 7.8 High |
| An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The decryption binary used to decrypt firmware files has an information leak that allows an attacker to read the AES key and initialization vector from memory. An attacker may exploit this to create custom firmware that may be installed in the IVI system. Then, an attacker may be able to install a backdoor in the IVI system that may allow him to control it, if it is connected to the Internet through Wi-Fi. | ||||
| CVE-2021-39312 | 1 Trueranker | 1 True Ranker | 2025-01-31 | 7.5 High |
| The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the ~/admin/vendor/datatables/examples/resources/examples.php file. | ||||
| CVE-2023-2336 | 1 Pimcore | 1 Pimcore | 2025-01-31 | 6.5 Medium |
| Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21. | ||||
| CVE-2022-3361 | 1 Ultimatemember | 1 Ultimate Member | 2025-01-31 | 4.3 Medium |
| The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users. | ||||
| CVE-2017-20184 | 1 Gavazzionline | 1 Powersoft | 2025-01-31 | 7.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Carlo Gavazzi Powersoft up to version 2.1.1.1 allows an unauthenticated, remote attacker to download any file from the affected device. | ||||
| CVE-2024-13671 | 1 Partitionnumerique | 1 Music Sheet Viewer | 2025-01-31 | 7.5 High |
| The Music Sheet Viewer plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.1 via the read_score_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2024-46664 | 1 Fortinet | 1 Fortirecorder | 2025-01-31 | 5.2 Medium |
| A relative path traversal in Fortinet FortiRecorder [CWE-23] version 7.2.0 through 7.2.1 and before 7.0.4 allows a privileged attacker to read files from the underlying filesystem via crafted HTTP or HTTPs requests. | ||||
| CVE-2024-36512 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2025-01-31 | 7 High |
| An improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiManager, FortiAnalyzer 7.4.0 through 7.4.3 and 7.2.0 through 7.2.5 and 7.0.2 through 7.0.12 and 6.2.10 through 6.2.13 allows attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests. | ||||
| CVE-2025-0493 | 2025-01-31 | 9.8 Critical | ||
| The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included | ||||
| CVE-2024-47566 | 1 Fortinet | 1 Fortirecorder | 2025-01-31 | 4.8 Medium |
| A improper limitation of a pathname to a restricted directory ('path traversal') [CWE-23] in Fortinet FortiRecorder version 7.2.0 through 7.2.1 and before 7.0.4 allows a privileged attacker to delete files from the underlying filesystem via crafted CLI requests. | ||||
| CVE-2023-2273 | 1 Rapid7 | 1 Insight Agent | 2025-01-31 | 5.8 Medium |
| Rapid7 Insight Agent token handler versions 3.2.6 and below, suffer from a Directory Traversal vulnerability whereby unsanitized input from a CLI argument flows into io.ioutil.WriteFile, where it is used as a path. This can result in a Path Traversal vulnerability and allow an attacker to write arbitrary files. This issue is remediated in version 3.3.0 via safe guards that reject inputs that attempt to do path traversal. | ||||
| CVE-2024-49766 | 2025-01-31 | 3.7 Low | ||
| Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch. | ||||
| CVE-2023-30507 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2025-01-31 | 4.9 Medium |
| Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files. | ||||
| CVE-2024-54154 | 1 Jetbrains | 1 Youtrack | 2025-01-31 | 8 High |
| In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox | ||||
| CVE-2023-28413 | 1 Snow Monkey Forms Project | 1 Snow Monkey Forms | 2025-01-31 | 9.8 Critical |
| Directory traversal vulnerability in Snow Monkey Forms versions v5.0.6 and earlier allows a remote unauthenticated attacker to obtain sensitive information, alter the website, or cause a denial-of-service (DoS) condition. | ||||
| CVE-2023-27507 | 1 Microengine | 1 Mailform | 2025-01-31 | 9.8 Critical |
| MicroEngine Mailform version 1.1.0 to 1.1.8 contains a path traversal vulnerability. If the product's file upload function and server save option are enabled, a remote attacker may save an arbitrary file on the server and execute it. | ||||
| CVE-2023-27067 | 1 Sitecore | 1 Experience Platform | 2025-01-31 | 7.5 High |
| Directory Traversal vulnerability in Sitecore Experience Platform through 10.2 allows remote attackers to download arbitrary files via crafted command to download.aspx | ||||
| CVE-2023-27066 | 1 Sitecore | 1 Experience Platform | 2025-01-31 | 6.5 Medium |
| Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle. | ||||
| CVE-2023-22901 | 1 Changingtec | 1 Mobile One Time Password | 2025-01-30 | 4.9 Medium |
| ChangingTec MOTP system has a path traversal vulnerability. A remote attacker with administrator’s privilege can exploit this vulnerability to access arbitrary system files. | ||||