Total
6658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-10956 | 3 Ipconfigure, Linux, Microsoft | 3 Orchid Core Vms, Linux Kernel, Windows | 2018-08-27 | 5.0 MEDIUM | 7.5 HIGH |
| IPConfigure Orchid Core VMS 2.0.5 allows Directory Traversal. | |||||
| CVE-2017-16859 | 1 Atlassian | 2 Crucible, Fisheye | 2018-08-23 | 4.0 MEDIUM | 6.5 MEDIUM |
| The review attachment resource in Atlassian Fisheye and Crucible before version 4.3.2, from version 4.4.0 before 4.4.3 and before version 4.5.0 allows remote attackers to read files contained within context path of the running application through a path traversal vulnerability in the command parameter. | |||||
| CVE-2018-7669 | 1 Sitecore | 1 Sitecore.net | 2018-08-11 | 7.8 HIGH | 7.5 HIGH |
| An issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer' application is vulnerable to a directory traversal attack, allowing an attacker to access arbitrary files from the host Operating System using a sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file= URI. Validation is performed to ensure that the text passed to the 'file' parameter correlates to the correct log file directory. This filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack. | |||||
| CVE-2018-12560 | 1 Cantata Project | 1 Cantata | 2018-08-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. Arbitrary unmounts can be performed by regular users via directory traversal sequences such as a home/../sys/kernel substring. | |||||
| CVE-2018-12559 | 1 Cantata Project | 1 Cantata | 2018-08-10 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequences such as a home/../usr substring. | |||||
| CVE-2018-12631 | 1 Redatam | 1 Redatam | 2018-08-10 | 5.0 MEDIUM | 7.5 HIGH |
| Redatam7 (formerly Redatam WebServer) allows remote attackers to read arbitrary files via /redbin/rpwebutilities.exe/text?LFN=../ directory traversal. | |||||
| CVE-2018-8727 | 1 Mirasys | 1 Dvms Workstation | 2018-08-09 | 5.0 MEDIUM | 7.5 HIGH |
| Path Traversal in Gateway in Mirasys DVMS Workstation 5.12.6 and earlier allows an attacker to traverse the file system to access files or directories via the Web Client webserver. | |||||
| CVE-2007-4829 | 2 Archive\, Canonical | 2 \, Ubuntu Linux | 2018-08-08 | 6.8 MEDIUM | N/A |
| Directory traversal vulnerability in the Archive::Tar Perl module 1.36 and earlier allows user-assisted remote attackers to overwrite arbitrary files via a TAR archive that contains a file whose name is an absolute path or has ".." sequences. | |||||
| CVE-2018-5755 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-08-03 | 7.1 HIGH | 5.5 MEDIUM |
| Absolute path traversal vulnerability in the readerengine component in Open-Xchange OX App Suite before 7.6.3-rev3, 7.8.x before 7.8.2-rev4, 7.8.3 before 7.8.3-rev5, and 7.8.4 before 7.8.4-rev4 allows remote attackers to read arbitrary files via a full pathname in a formula in a spreadsheet. | |||||
| CVE-2018-12036 | 1 Owasp | 1 Dependency-check | 2018-07-27 | 6.8 MEDIUM | 7.8 HIGH |
| OWASP Dependency-Check before 3.2.0 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames. | |||||
| CVE-2018-12031 | 1 Eaton | 1 Intelligent Power Manager | 2018-07-27 | 7.5 HIGH | 9.8 CRITICAL |
| Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via server/node_upgrade_srv.js directory traversal with the firmware parameter in a downloadFirmware action. | |||||
| CVE-2018-10057 | 2 Bfgminer, Cgminer Project | 2 Bfgminer, Cgminer | 2018-07-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to write the miner configuration file to arbitrary locations on the server due to missing basedir restrictions (absolute directory traversal). | |||||
| CVE-2017-16038 | 1 F2e-server Project | 1 F2e-server | 2018-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| `f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by `f2e-server` requiring elevated privileges to run. | |||||
| CVE-2017-16198 | 1 Ritp Project | 1 Ritp | 2018-07-19 | 5.0 MEDIUM | 7.5 HIGH |
| ritp is a static web server. ritp is vulnerable to a directory traversal issue whereby an attacker can gain access to the file system by placing ../ in the URL. Access is restricted to files with a file extension, so files such as /etc/passwd are not accessible. | |||||
| CVE-2018-12042 | 1 Roxyfileman | 1 Roxy Fileman | 2018-07-17 | 5.0 MEDIUM | 7.5 HIGH |
| Roxy Fileman through v1.4.5 has Directory traversal via the php/download.php f parameter. | |||||
| CVE-2018-12053 | 1 Schools Alert Management Script Project | 1 Schools Alert Management Script | 2018-07-17 | 6.4 MEDIUM | 7.5 HIGH |
| Arbitrary File Deletion exists in PHP Scripts Mall Schools Alert Management Script via the img parameter in delete_img.php by using directory traversal. | |||||
| CVE-2018-12054 | 1 Schools Alert Management Script Project | 1 Schools Alert Management Script | 2018-07-17 | 5.0 MEDIUM | 7.5 HIGH |
| Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal. | |||||
| CVE-2016-6614 | 1 Phpmyadmin | 1 Phpmyadmin | 2018-07-08 | 4.3 MEDIUM | 6.8 MEDIUM |
| An issue was discovered in phpMyAdmin involving the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
| CVE-2018-11141 | 1 Quest | 1 Kace System Management Appliance | 2018-06-29 | 7.5 HIGH | 9.8 CRITICAL |
| The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script in the Quest KACE System Management Virtual Appliance 8.0.318 can be abused to write and delete files respectively via Directory Traversal. Files can be at any location where the 'www' user has write permissions. | |||||
| CVE-2018-11494 | 1 Opencart | 1 Opencart | 2018-06-29 | 6.0 MEDIUM | 8.0 HIGH |
| The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory name (containing 10 random digits) via a directory traversal attack involving language_info['code']. | |||||