Total
6658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19459 | 1 Saltosystem | 1 Proaccess Space | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SALTO ProAccess SPACE 5.4.3.0. An attacker can write arbitrary content to arbitrary files, as demonstrated by CVE-2019-19458 files under the web root, or .bat files that will be used with auto start. This allows an attacker to execute arbitrary commands on the server. | |||||
| CVE-2020-9325 | 1 Aquaforest | 1 Tiff Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| Aquaforest TIFF Server 4.0 allows Unauthenticated Arbitrary File Download. | |||||
| CVE-2020-13347 | 1 Gitlab | 1 Gitlab | 2021-07-21 | 9.0 HIGH | 9.1 CRITICAL |
| A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable. | |||||
| CVE-2020-12265 | 1 Decompress Project | 1 Decompress | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The decompress package before 4.2.1 for Node.js is vulnerable to Arbitrary File Write via ../ in an archive member, when a symlink is used, because of Directory Traversal. | |||||
| CVE-2019-16915 | 1 Netgate | 1 Pfsense | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents. | |||||
| CVE-2019-9157 | 1 Gemalto | 1 Ezio Ds3 Server | 2021-07-21 | 2.7 LOW | 5.7 MEDIUM |
| Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclosure. | |||||
| CVE-2020-7762 | 1 Jsreport | 1 Jsreport-chrome-pdf | 2021-07-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| This affects the package jsreport-chrome-pdf before 1.10.0. | |||||
| CVE-2020-9323 | 1 Aquaforest | 1 Tiff Server | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Aquaforest TIFF Server 4.0 allows Unauthenticated File and Directory Enumeration via tiffserver/tssp.aspx. | |||||
| CVE-2019-9642 | 1 Pydio | 1 Pydio | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution via a proxy.php?hash=../../../../../var/lib/pydio/data/personal/guest/PoC.php request. This is related to plugins/action.share/src/Store/ShareStore.php. | |||||
| CVE-2020-7651 | 1 Synk | 1 Broker | 2021-07-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API. | |||||
| CVE-2020-12851 | 1 Pydio | 1 Cells | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| Pydio Cells 2.0.4 allows an authenticated user to write or overwrite existing files in another user’s personal and cells folders (repositories) by uploading a custom generated ZIP file and leveraging the file extraction feature present in the web application. The extracted files will be placed in the targeted user folders. | |||||
| CVE-2020-29166 | 1 Rainbowfishsoftware | 1 Pacsone Server | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| PacsOne Server (PACS Server In One Box) below 7.1.1 is affected by file read/manipulation, which can result in remote information disclosure. | |||||
| CVE-2020-0520 | 1 Intel | 1 Graphics Driver | 2021-07-21 | 4.6 MEDIUM | 7.8 HIGH |
| Path traversal in igdkmd64.sys for Intel(R) Graphics Drivers before versions 15.45.30.5103, 15.40.44.5107, 15.36.38.5117 and 15.33.49.5100 may allow an authenticated user to potentially enable escalation of privilege or denial of service via local access. | |||||
| CVE-2020-27385 | 1 Flexdotnetcms Project | 1 Flexdotnetcms | 2021-07-21 | 5.5 MEDIUM | 8.1 HIGH |
| Incorrect Access Control in the FileEditor (/Admin/Views/FileEditor/) in FlexDotnetCMS before v1.5.11 allows an authenticated remote attacker to read and write to existing files outside the web root. The files can be accessed via directory traversal, i.e., by entering a .. (dot dot) path such as ..\..\..\..\..\<file> in the input field of the FileEditor. In FlexDotnetCMS before v1.5.8, it is also possible to access files by specifying the full path (e.g., C:\<file>). The files can then be edited via the FileEditor. | |||||
| CVE-2019-11378 | 1 Projectsend | 1 Projectsend | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code. | |||||
| CVE-2020-9354 | 1 Smartclient | 1 Smartclient | 2021-07-21 | 6.4 MEDIUM | 7.5 HIGH |
| An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal. | |||||
| CVE-2019-16246 | 1 Intesync | 1 Solismed | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution. | |||||
| CVE-2020-18665 | 1 Webport | 1 Web Port | 2021-07-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Directory Traversal vulnerability in WebPort <=1.19.1 in tags of system settings. | |||||
| CVE-2021-33211 | 1 Element-it | 1 Http Commander | 2021-07-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| A Directory Traversal vulnerability in the Unzip feature in Elements-IT HTTP Commander 5.3.3 allows remote authenticated users to write files to arbitrary directories via relative paths in ZIP archives. | |||||
| CVE-2021-22440 | 1 Huawei | 12 Hima-l29c, Hima-l29c Firmware, Laya-al00ep and 9 more | 2021-07-15 | 2.1 LOW | 4.6 MEDIUM |
| There is a path traversal vulnerability in some Huawei products. The vulnerability is due to that the software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly validate the pathname. Successful exploit could allow the attacker to access a location that is outside of the restricted directory by a crafted filename. Affected product versions include:HUAWEI Mate 20 9.0.0.195(C01E195R2P1), 9.1.0.139(C00E133R3P1);HUAWEI Mate 20 Pro 9.0.0.187(C432E10R1P16), 9.0.0.188(C185E10R2P1), 9.0.0.245(C10E10R2P1), 9.0.0.266(C432E10R1P16), 9.0.0.267(C636E10R2P1), 9.0.0.268(C635E12R1P16), 9.0.0.278(C185E10R2P1); Hima-L29C 9.0.0.105(C10E9R1P16), 9.0.0.105(C185E9R1P16), 9.0.0.105(C636E9R1P16); Laya-AL00EP 9.1.0.139(C786E133R3P1); OxfordS-AN00A 10.1.0.223(C00E210R5P1); Tony-AL00B 9.1.0.257(C00E222R2P1). | |||||