Total
351 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-49359 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2024-11-06 | 7.5 High |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attackers can access sensitive system directories such as `/etc`, potentially exposing critical configuration files and increasing the risk of further attacks. As of time of publication, no known patched versions are available. | ||||
| CVE-2024-48647 | 1 Sage | 1 1000 | 2024-11-01 | 7.2 High |
| A file disclosure vulnerability exists in Sage 1000 v7.0.0. This vulnerability allows remote attackers to retrieve arbitrary files from the server's file system by manipulating the URL parameter in HTTP requests. The attacker can exploit this flaw to access sensitive information, including configuration files that may contain credentials and system settings, which could lead to further compromise of the server. | ||||
| CVE-2024-49756 | 1 Ash Framework | 1 Ashpostgres | 2024-10-25 | 5.3 Medium |
| AshPostgres is the PostgreSQL data layer for Ash Framework. Starting in version 2.0.0 and prior to version 2.4.10, in certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on "empty" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger. To be vulnerable, an affected user must have an update action that is on a resource with no attributes containing an "update default" (updated_at timestamp, for example); can be performed atomically; does not have `require_atomic? false`; has at least one authorizer (typically `Ash.Policy.Authorizer`); and has at least one `change` (on the resource's `changes` block or in the action itself). This is where the side-effects would be performed when they should not have been. This problem has been patched in `2.4.10` of `ash_postgres`. Several workarounds are available. Potentially affected users may determine that none of their actions are vulnerable using a script the maintainers provide in the GitHub Security Advisory, add `require_atomic? false` to any potentially affected update action, replace any usage of `Ash.update` with `Ash.bulk_update` for an affected action, and/or add an update timestamp to their action. | ||||
| CVE-2024-44807 | 1 D-zero | 2 Burgereditor, Burgereditor Limited Edition | 2024-10-15 | 5.3 Medium |
| A directory listing issue in the baserCMS plugin in D-ZERO CO., LTD. BurgerEditor and BurgerEditor Limited Edition before 2.25.1 allows remote attackers to obtain sensitive information by exposing a list of the uploaded files. | ||||
| CVE-2024-7107 | 1 Nationalkeep | 1 Cybermath | 2024-10-03 | 7.5 High |
| Files or Directories Accessible to External Parties vulnerability in National Keep Cyber Security Services CyberMath allows Collect Data from Common Resource Locations.This issue affects CyberMath: before CYBM.240816253. | ||||
| CVE-2024-38876 | 1 Siemens | 14 Omnivise T3000 Application Server, Omnivise T3000 Application Server R9.2, Omnivise T3000 Domain Controller and 11 more | 2024-09-17 | 7.8 High |
| A vulnerability has been identified in Omnivise T3000 Application Server R9.2 (All versions), Omnivise T3000 Domain Controller R9.2 (All versions), Omnivise T3000 Product Data Management (PDM) R9.2 (All versions), Omnivise T3000 R8.2 SP3 (All versions), Omnivise T3000 R8.2 SP4 (All versions), Omnivise T3000 Terminal Server R9.2 (All versions), Omnivise T3000 Thin Client R9.2 (All versions), Omnivise T3000 Whitelisting Server R9.2 (All versions). The affected application regularly executes user modifiable code as a privileged user. This could allow a local authenticated attacker to execute arbitrary code with elevated privileges. | ||||
| CVE-2024-39581 | 1 Dell | 2 Insightiq, Powerscale Insightiq | 2024-09-16 | 7.3 High |
| Dell PowerScale InsightIQ, versions 5.0 through 5.1, contains a File or Directories Accessible to External Parties vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to read, modify, and delete arbitrary files. | ||||
| CVE-2024-3913 | 1 Phoenixcontact | 12 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 9 more | 2024-09-13 | 7.5 High |
| An unauthenticated remote attacker can use this vulnerability to change the device configuration due to a file writeable for short time after system startup. | ||||
| CVE-2024-8655 | 1 Mercurycom | 1 Mnvr816 Firmware | 2024-09-12 | 5.3 Medium |
| A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has been classified as problematic. This affects an unknown part of the file /web-static/. The manipulation leads to files or directories accessible. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-41699 | 1 Priority-software | 1 Priority | 2024-09-03 | 4.4 Medium |
| Priority – CWE-552: Files or Directories Accessible to External Parties | ||||
| CVE-2024-7729 | 1 Cayintech | 15 Cms-20, Cms-60, Cms-se and 12 more | 2024-08-16 | 7.5 High |
| The CAYIN Technology CMS lacks proper access control, allowing unauthenticated remote attackers to download arbitrary CGI files. | ||||