Total
6658 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-4402 | 1 Docsys Project | 1 Docsys | 2023-11-07 | N/A | 7.2 HIGH |
| A vulnerability classified as critical has been found in RainyGao DocSys 2.02.37. This affects an unknown part of the component ZIP File Decompression Handler. The manipulation leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-215271. | |||||
| CVE-2022-47595 | 1 Codecabin | 1 Wp Go Maps | 2023-11-07 | N/A | 6.5 MEDIUM |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Go Maps (formerly WP Google Maps) plugin <= 9.0.15 versions. | |||||
| CVE-2022-4031 | 1 Simple-press | 1 Simple\ | 2023-11-07 | N/A | 4.9 MEDIUM |
| The Simple:Press plugin for WordPress is vulnerable to arbitrary file modifications in versions up to, and including, 6.8 via the 'file' parameter which does not properly restrict files to be edited in the context of the plugin. This makes it possible with attackers, with high-level permissions such as an administrator, to supply paths to arbitrary files on the server that can be modified outside of the intended scope of the plugin. | |||||
| CVE-2022-4030 | 1 Simple-press | 1 Simple\ | 2023-11-07 | N/A | 8.1 HIGH |
| The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to arbitrary files on the server that will subsequently be deleted. This can be used to delete the wp-config.php file that can allow an attacker to configure the site and achieve remote code execution. | |||||
| CVE-2022-43864 | 1 Ibm | 2 Business Automation Workflow, Business Monitor | 2023-11-07 | N/A | 7.5 HIGH |
| IBM Business Automation Workflow 22.0.2 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 239427. | |||||
| CVE-2022-43857 | 1 Ibm | 1 I | 2023-11-07 | N/A | 4.3 MEDIUM |
| IBM Navigator for i 7.3, 7.4 and 7.5 could allow an authenticated user to access IBM Navigator for i log files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks and download log files by modifying servlet filter. IBM X-Force ID: 239301. | |||||
| CVE-2022-44748 | 1 Knime | 1 Knime Server | 2023-11-07 | N/A | 7.5 HIGH |
| A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server since 4.3.0 can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the KNIME Server process user. In all cases the attacker has to know the location of files on the server's file system, though. Note that users that have permissions to upload workflows usually also have permissions to run them on the KNIME Server and can therefore already execute arbitrary code in the context of the KNIME Executor's operating system user. There is no workaround to prevent this vulnerability from being exploited. Updates to fixed versions 4.13.6, 4.14.3, or 4.15.3 are advised. | |||||
| CVE-2022-43858 | 1 Ibm | 1 I | 2023-11-07 | N/A | 4.3 MEDIUM |
| IBM Navigator for i 7.3, 7.4, and 7.5 could allow an authenticated user to access the file system and download files they are authorized to but not while using this interface. The remote authenticated user can bypass the interface checks by modifying a parameter thereby gaining access to their files through this interface. IBM X-Force ID: 239303. | |||||
| CVE-2022-45829 | 1 Wp-ecommerce | 1 Easy Wp Smtp | 2023-11-07 | N/A | 8.1 HIGH |
| Auth. Path Traversal vulnerability in Easy WP SMTP plugin <= 1.5.1 at WordPress. | |||||
| CVE-2022-44749 | 1 Knime | 1 Knime Analytics Platform | 2023-11-07 | N/A | 7.0 HIGH |
| A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though. | |||||
| CVE-2022-43771 | 1 Hitachi | 1 Vantara Pentaho Business Analytics Server | 2023-11-07 | N/A | 6.5 MEDIUM |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds. | |||||
| CVE-2022-42470 | 1 Fortinet | 1 Forticlient | 2023-11-07 | N/A | 7.8 HIGH |
| A relative path traversal vulnerability in Fortinet FortiClient (Windows) 7.0.0 - 7.0.7, 6.4.0 - 6.4.9, 6.2.0 - 6.2.9 and 6.0.0 - 6.0.10 allows an attacker to execute unauthorized code or commands via sending a crafted request to a specific named pipe. | |||||
| CVE-2022-42474 | 1 Fortinet | 3 Fortios, Fortiproxy, Fortiswitchmanager | 2023-11-07 | N/A | 2.7 LOW |
| A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9 and before 6.4.12, FortiProxy version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7, FortiSwitchManager version 7.2.0 through 7.2.1 and before 7.0.1 allows an privileged attacker to delete arbitrary directories from the filesystem through crafted HTTP requests. | |||||
| CVE-2022-42476 | 1 Fortinet | 2 Fortios, Fortiproxy | 2023-11-07 | N/A | 8.2 HIGH |
| A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8 and before 6.4.11, FortiProxy version 7.2.0 through 7.2.2 and 7.0.0 through 7.0.8 allows privileged VDOM administrators to escalate their privileges to super admin of the box via crafted CLI requests. | |||||
| CVE-2022-41772 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 9.8 CRITICAL |
| Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior mishandle .ZIP archives containing characters used in path traversal. This path traversal could result in remote code execution. | |||||
| CVE-2022-41335 | 1 Fortinet | 3 Fortios, Fortiproxy, Fortiswitchmanager | 2023-11-07 | N/A | 8.1 HIGH |
| A relative path traversal vulnerability [CWE-23] in Fortinet FortiOS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.8 and before 6.4.10, FortiProxy version 7.2.0 through 7.2.1, 7.0.0 through 7.0.7 and before 2.0.10, FortiSwitchManager 7.2.0 and before 7.0.0 allows an authenticated attacker to read and write files on the underlying Linux system via crafted HTTP requests. | |||||
| CVE-2022-40977 | 1 Pilz | 15 Pasvisu, Pmi V507, Pmi V507 Firmware and 12 more | 2023-11-07 | N/A | 7.5 HIGH |
| A path traversal vulnerability was discovered in Pilz PASvisu Server before 1.12.0. An unauthenticated remote attacker could use a zipped, malicious configuration file to trigger arbitrary file writes ('zip-slip'). File writes do not affect confidentiality or availability. | |||||
| CVE-2022-40607 | 2 Ibm, Linux | 2 Spectrum Scale, Linux Kernel | 2023-11-07 | N/A | 6.8 MEDIUM |
| IBM Spectrum Scale 5.1 could allow users with permissions to create pod, persistent volume and persistent volume claim to access files and directories outside of the volume, including on the host filesystem. IBM X-Force ID: 235740. | |||||
| CVE-2022-3966 | 1 Ultimatemember | 1 Ultimate Member | 2023-11-07 | N/A | 7.5 HIGH |
| A vulnerability, which was classified as critical, has been found in Ultimate Member Plugin up to 2.5.0. This issue affects the function load_template of the file includes/core/class-shortcodes.php of the component Template Handler. The manipulation of the argument tpl leads to pathname traversal. The attack may be initiated remotely. Upgrading to version 2.5.1 is able to address this issue. The name of the patch is e1bc94c1100f02a129721ba4be5fbc44c3d78ec4. It is recommended to upgrade the affected component. The identifier VDB-213545 was assigned to this vulnerability. | |||||
| CVE-2022-41657 | 1 Deltaww | 1 Infrasuite Device Master | 2023-11-07 | N/A | 9.8 CRITICAL |
| Delta Electronics InfraSuite Device Master Versions 00.00.01a and prior allow attacker provided data already serialized into memory to be used in file operation application programmable interfaces (APIs). This could create arbitrary files, which could be used in API operations and could ultimately result in remote code execution. | |||||