Total
6658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-40964 | 1 Tinyfilemanager Project | 1 Tinyfilemanager | 2022-05-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer. | |||||
| CVE-2022-24878 | 1 Fluxcd | 2 Flux2, Kustomize-controller | 2022-05-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the user's CI/CD pipeline to validate `kustomization.yaml` files conform with specific policies. This vulnerability is fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0. Users are recommended to upgrade. | |||||
| CVE-2018-20525 | 1 Roxyfileman | 1 Roxy Fileman | 2022-05-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php. | |||||
| CVE-2021-38693 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2022-05-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| A path traversal vulnerability has been reported to affect QNAP device running QuTScloud, QuTS hero, QTS, QVR Pro Appliance. If exploited, this vulnerability allows attackers to read the contents of unexpected files and expose sensitive data. We have already fixed this vulnerability in the following versions of QuTScloud, QuTS hero, QTS, QVR Pro Appliance: QuTScloud c5.0.1.1949 and later QuTS hero h5.0.0.1949 build 20220215 and later QuTS hero h4.5.4.1951 build 20220218 and later QTS 5.0.0.1986 build 20220324 and later QTS 4.5.4.1991 build 20220329 and later | |||||
| CVE-2021-42183 | 1 Masacms | 1 Masacms | 2022-05-13 | 5.0 MEDIUM | 7.5 HIGH |
| MasaCMS 7.2.1 is affected by a path traversal vulnerability in /index.cfm/_api/asset/image/. | |||||
| CVE-2021-45783 | 1 Bookeen | 2 Notea, Notea Firmware | 2022-05-13 | 2.1 LOW | 4.6 MEDIUM |
| Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information. | |||||
| CVE-2022-29474 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2022-05-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, a directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at least guest role privileges to read wsdl files in the BIG-IP file system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2021-46381 | 1 Dlink | 2 Dap-1620, Dap-1620 Firmware | 2022-05-12 | 5.0 MEDIUM | 7.5 HIGH |
| Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow]. | |||||
| CVE-2020-6109 | 1 Zoom | 1 Zoom | 2022-05-12 | 7.5 HIGH | 9.8 CRITICAL |
| An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability. | |||||
| CVE-2020-6110 | 1 Zoom | 1 Zoom | 2022-05-12 | 6.8 MEDIUM | 8.8 HIGH |
| An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required. | |||||
| CVE-2022-26835 | 1 F5 | 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more | 2022-05-12 | 4.0 MEDIUM | 4.9 MEDIUM |
| On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, directory traversal vulnerabilities exist in undisclosed iControl REST endpoints and TMOS Shell (tmsh) commands in F5 BIG-IP Guided Configuration, which may allow an authenticated attacker with at least resource administrator role privileges to read arbitrary files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | |||||
| CVE-2020-6950 | 2 Eclipse, Oracle | 9 Mojarra, Banking Enterprise Default Management, Banking Platform and 6 more | 2022-05-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | |||||
| CVE-2022-20101 | 2 Google, Mediatek | 45 Android, Mt6580, Mt6739 and 42 more | 2022-05-12 | 2.1 LOW | 5.5 MEDIUM |
| In aee daemon, there is a possible information disclosure due to a path traversal. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06419017; Issue ID: ALPS06270870. | |||||
| CVE-2022-26068 | 1 Pistache Project | 1 Pistache | 2022-05-11 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package pistacheio/pistache before 0.0.3.20220425. It is possible to traverse directories to fetch arbitrary files from the server. | |||||
| CVE-2022-28784 | 1 Google | 1 Android | 2022-05-11 | 2.1 LOW | 3.3 LOW |
| Path traversal vulnerability in Galaxy Themes prior to SMR May-2022 Release 1 allows attackers to list file names in arbitrary directory as system user. The patch addresses incorrect implementation of file path validation check logic. | |||||
| CVE-2022-25842 | 1 Alibabagroup | 1 One-java-agent | 2022-05-11 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. | |||||
| CVE-2022-28451 | 1 Nopcommerce | 1 Nopcommerce | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup file in the Maintenance feature. | |||||
| CVE-2022-1166 | 1 Nootheme | 1 Jobmonster | 2022-05-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file. This could expose personal data such as people's resumes. Although Directory Listing can be prevented by securely configuring the web server, vendors can also take measures to make it less likely to happen. | |||||
| CVE-2022-29967 | 1 Glewlwyd Project | 1 Glewlwyd | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal. | |||||
| CVE-2022-1554 | 1 Clinical-genomics | 1 Scout | 2022-05-10 | 5.0 MEDIUM | 7.5 HIGH |
| Path Traversal due to `send_file` call in GitHub repository clinical-genomics/scout prior to 4.52. | |||||