Total
6658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-37126 | 1 Huawei | 1 Harmonyos | 2022-01-11 | 5.0 MEDIUM | 7.5 HIGH |
| Arbitrary file has a Exposure of Sensitive Information to an Unauthorized Actor vulnerability .Successful exploitation of this vulnerability may cause the directory is traversed. | |||||
| CVE-2021-44674 | 1 Opmantek | 1 Open-audit | 2022-01-11 | 4.0 MEDIUM | 6.5 MEDIUM |
| An information exposure issue has been discovered in Opmantek Open-AudIT 4.2.0. The vulnerability allows an authenticated attacker to read file outside of the restricted directory. | |||||
| CVE-2021-45427 | 1 Emerson | 2 Xweb300d Evo, Xweb300d Evo Firmware | 2022-01-11 | 7.5 HIGH | 9.8 CRITICAL |
| Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: unauthenticated arbitrary file deletion due to path traversal. An attacker can browse and delete files without any authentication due to incorrect access control and directory traversal. | |||||
| CVE-2021-25021 | 1 Ffw | 1 Optimize My Google Fonts | 2022-01-11 | 4.0 MEDIUM | 4.9 MEDIUM |
| The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin | |||||
| CVE-2021-20876 | 1 Groupsession | 1 Groupsession | 2022-01-10 | 4.0 MEDIUM | 6.8 MEDIUM |
| Path traversal vulnerability in GroupSession Free edition ver5.1.1 and earlier, GroupSession byCloud ver5.1.1 and earlier, and GroupSession ZION ver5.1.1 and earlier allows an attacker with an administrative privilege to obtain sensitive information stored in the hierarchy above the directory on the published site's server via unspecified vectors. | |||||
| CVE-2021-45712 | 1 Rust-embed Project | 1 Rust-embed | 2022-01-06 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the rust-embed crate before 6.3.0 for Rust. A ../ directory traversal can sometimes occur in debug mode. | |||||
| CVE-2020-24219 | 1 Szuray | 95 Iptv\/h.264 Video Encoder Firmware, Iptv\/h.265 Video Encoder Firmware, Uaioe264-1u and 92 more | 2022-01-06 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path traversal and pattern-matching programming flaws, and retrieve any file from the device's file system, including the configuration file with the cleartext administrative password. | |||||
| CVE-2021-40858 | 1 Auerswald | 20 Commander 6000r Ip, Commander 6000r Ip Firmware, Commander 6000rx Ip and 17 more | 2022-01-04 | 6.8 MEDIUM | 4.9 MEDIUM |
| Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Disclosure. A sub-admin can read the cleartext Admin password via the fileName=../../etc/passwd substring. | |||||
| CVE-2021-45418 | 1 Starcharge | 4 Nova 360 Cabinet, Nova 360 Cabinet Firmware, Titan 180 Premium and 1 more | 2022-01-03 | 6.5 MEDIUM | 8.8 HIGH |
| Certain Starcharge products are vulnerable to Directory Traversal via main.cgi. The affected products include: Nova 360 Cabinet <=1.3.0.0.6 - Fixed: 1.3.0.0.9 and Titan 180 Premium <=1.3.0.0.7b102 - Fixed: Beta1.3.0.1.0. | |||||
| CVE-2020-5377 | 1 Dell | 1 Emc Openmanage Server Administrator | 2022-01-01 | 6.4 MEDIUM | 9.1 CRITICAL |
| Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station. | |||||
| CVE-2020-28337 | 1 Microweber | 1 Microweber | 2022-01-01 | 6.5 MEDIUM | 7.2 HIGH |
| A directory traversal issue in the Utils/Unzip module in Microweber through 1.1.20 allows an authenticated attacker to gain remote code execution via the backup restore feature. To exploit the vulnerability, an attacker must have the credentials of an administrative user, upload a maliciously constructed ZIP file with file paths including relative paths (i.e., ../../), move this file into the backup directory, and execute a restore on this file. | |||||
| CVE-2020-7668 | 1 Compression And Archive Extensions Tz Project | 1 Compression And Archive Extensions Tz Project | 2022-01-01 | 5.0 MEDIUM | 7.5 HIGH |
| In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide. | |||||
| CVE-2020-5237 | 1 1up | 1 Oneupuploaderbundle | 2021-12-30 | 6.5 MEDIUM | 8.8 HIGH |
| Multiple relative path traversal vulnerabilities in the oneup/uploader-bundle before 1.9.3 and 2.1.5 allow remote attackers to upload, copy, and modify files on the filesystem (potentially leading to arbitrary code execution) via the (1) filename parameter to BlueimpController.php; the (2) dzchunkindex, (3) dzuuid, or (4) filename parameter to DropzoneController.php; the (5) qqpartindex, (6) qqfilename, or (7) qquuid parameter to FineUploaderController.php; the (8) x-file-id or (9) x-file-name parameter to MooUploadController.php; or the (10) name or (11) chunk parameter to PluploadController.php. This is fixed in versions 1.9.3 and 2.1.5. | |||||
| CVE-2021-43840 | 1 Discourse | 1 Message Bus | 2021-12-29 | 3.5 LOW | 6.5 MEDIUM |
| message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled. | |||||
| CVE-2021-23797 | 1 Http-server-node Project | 1 Http-server-node | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package http-server-node are vulnerable to Directory Traversal via use of --path-as-is. | |||||
| CVE-2021-32498 | 1 Sick | 1 Sopas Engineering Tool | 2021-12-27 | 9.3 HIGH | 8.6 HIGH |
| SICK SOPAS ET before version 4.8.0 allows attackers to manipulate the pathname of the emulator and use path traversal to run an arbitrary executable located on the host system. When the user starts the emulator from SOPAS ET the corresponding executable will be started instead of the emulator | |||||
| CVE-2021-44162 | 1 Chinasea | 1 Qb Smart Service Robot | 2021-12-27 | 5.0 MEDIUM | 7.5 HIGH |
| Chain Sea ai chatbot system’s specific file download function has path traversal vulnerability. The function has improper filtering of special characters in URL parameters, which allows a remote attacker to download arbitrary system files without authentication. | |||||
| CVE-2021-44232 | 1 Sap | 1 Saf-t Framework | 2021-12-22 | 4.0 MEDIUM | 7.7 HIGH |
| SAF-T Framework Transaction SAFTN_G allows an attacker to exploit insufficient validation of path information provided by normal user, leading to full server directory access. The attacker can see the whole filesystem structure but cannot overwrite, delete, or corrupt arbitrary files on the server. | |||||
| CVE-2021-3960 | 1 Bitdefender | 1 Gravityzone | 2021-12-21 | 4.6 MEDIUM | 7.8 HIGH |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects Bitdefender GravityZone versions prior to 3.3.8.272 | |||||
| CVE-2021-43831 | 1 Gradio Project | 1 Gradio | 2021-12-21 | 3.5 LOW | 7.7 HIGH |
| Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not restricted and users who receive a Gradio link can access any files on the host computer if they know the file names or file paths. This is limited only by the host operating system. Paths are opened in read only mode. The problem has been patched in gradio 2.5.0. | |||||