Total
6853 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-54535 | 1 Apple | 4 Ipados, Iphone Os, Visionos and 1 more | 2025-01-23 | 4 Medium |
A path handling issue was addressed with improved logic. This issue is fixed in watchOS 11.1, visionOS 2.1, iOS 18.1 and iPadOS 18.1. An attacker with access to calendar data could also read reminders. | ||||
CVE-2024-42471 | 2 Actions\/artifact\/, Github | 3 Github Toolkit, Actions\/artifact, Actions Toolkit | 2025-01-23 | 7.3 High |
actions/artifact is the GitHub ToolKit for developing GitHub Actions. Versions of `actions/artifact` on the 2.x branch before 2.1.2 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArtifactPublic`, or `streamExtractExternal` for extracting a specifically crafted artifact that contains path traversal filenames. Users are advised to upgrade to version 2.1.2 or higher. There are no known workarounds for this issue. | ||||
CVE-2024-27102 | 1 Pterodactyl | 1 Wings | 2025-01-23 | 10 Critical |
Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability. | ||||
CVE-2022-4030 | 1 Simple-press | 1 Simple\ | 2025-01-23 | 8.1 High |
The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to arbitrary files on the server that will subsequently be deleted. This can be used to delete the wp-config.php file that can allow an attacker to configure the site and achieve remote code execution. | ||||
CVE-2022-4031 | 1 Simple-press | 1 Simple\ | 2025-01-23 | 3.8 Low |
The Simple:Press plugin for WordPress is vulnerable to arbitrary file modifications in versions up to, and including, 6.8 via the 'file' parameter which does not properly restrict files to be edited in the context of the plugin. This makes it possible with attackers, with high-level permissions such as an administrator, to supply paths to arbitrary files on the server that can be modified outside of the intended scope of the plugin. | ||||
CVE-2023-32985 | 1 Jenkins | 1 Sidebar Link | 2025-01-23 | 4.3 Medium |
Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. | ||||
CVE-2024-44195 | 1 Apple | 1 Macos | 2025-01-23 | 7.5 High |
A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1. An app may be able to read arbitrary files. | ||||
CVE-2024-26261 | 1 Hgiga | 4 Oaklouds-organization-2.0, Oaklouds-organization-3.0, Oaklouds-webbase-2.0 and 1 more | 2025-01-23 | 9.8 Critical |
The functionality for file download in HGiga OAKlouds' certain modules contains an Arbitrary File Read and Delete vulnerability. Attackers can put file path in specific request parameters, allowing them to download the file without login. Furthermore, the file will be deleted after being downloaded. | ||||
CVE-2024-55926 | 2025-01-23 | 6.3 Medium | ||
Arbitrary file upload, deletion and read through header manipulation | ||||
CVE-2024-0818 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-01-23 | 9.1 Critical |
Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6 | ||||
CVE-2023-42229 | 2025-01-23 | 6.5 Medium | ||
Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal. Arbitrary files can be created on the system via authenticated SOAP requests to the WSConnector service. | ||||
CVE-2023-42227 | 2025-01-23 | 7.5 High | ||
Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the WSCView/Save function. | ||||
CVE-2023-42226 | 2025-01-23 | 7.5 High | ||
Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via Email/SaveAttachment function. | ||||
CVE-2023-42225 | 2025-01-23 | 7.5 High | ||
Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Attachment/DownloadTempFile function. | ||||
CVE-2024-25156 | 1 Fortra | 1 Goanywhere Managed File Transfer | 2025-01-23 | 6.5 Medium |
A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients. | ||||
CVE-2018-14847 | 1 Mikrotik | 1 Routeros | 2025-01-23 | 9.1 Critical |
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface. | ||||
CVE-2023-42232 | 2025-01-23 | 7.5 High | ||
Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Navigator/Index function. | ||||
CVE-2024-42187 | 2025-01-23 | 5.3 Medium | ||
BigFix Patch Download Plug-ins are affected by path traversal vulnerability. The application could allow operators to download files from a local repository which is vulnerable to path traversal attacks. | ||||
CVE-2024-29053 | 1 Microsoft | 1 Defender For Iot | 2025-01-23 | 8.8 High |
Microsoft Defender for IoT Remote Code Execution Vulnerability | ||||
CVE-2024-38768 | 1 Webangon | 1 The Pack Elementor Addons | 2025-01-22 | 4.3 Medium |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Webangon The Pack Elementor addons allows PHP Local File Inclusion, Path Traversal.This issue affects The Pack Elementor addons: from n/a through 2.0.8.6. |