Total
6500 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-12314 | 1 Asustor | 2 As602t, Data Master | 2024-08-05 | N/A |
| Directory Traversal in downloadwallpaper.cgi in ASUSTOR ADM version 3.1.1 allows attackers to download arbitrary files by manipulating the "file" and "folder" URL parameters. | ||||
| CVE-2018-12053 | 1 Schools Alert Management Script Project | 1 Schools Alert Management Script | 2024-08-05 | N/A |
| Arbitrary File Deletion exists in PHP Scripts Mall Schools Alert Management Script via the img parameter in delete_img.php by using directory traversal. | ||||
| CVE-2018-12054 | 1 Schools Alert Management Script Project | 1 Schools Alert Management Script | 2024-08-05 | N/A |
| Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management Script via the f parameter in img.php, aka absolute path traversal. | ||||
| CVE-2018-12015 | 7 Apple, Archive\, Canonical and 4 more | 10 Mac Os X, \, Ubuntu Linux and 7 more | 2024-08-05 | N/A |
| In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name. | ||||
| CVE-2018-11798 | 2 Apache, Redhat | 3 Thrift, Jboss Data Virtualization, Jboss Fuse | 2024-08-05 | N/A |
| The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path. | ||||
| CVE-2018-11789 | 1 Apache | 1 Heron | 2024-08-05 | N/A |
| When accessing the heron-ui webpage, people can modify the file paths outside of the current container to access any file on the host. Example woule be modifying the parameter path= to go to the directory you would like to view. i.e. ..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd. | ||||
| CVE-2018-11720 | 1 Xovis | 6 Pc2, Pc2 Firmware, Pc2r and 3 more | 2024-08-05 | N/A |
| Xovis PC2, PC2R, and PC3 devices through 3.6.0 allow Directory Traversal. | ||||
| CVE-2018-11759 | 3 Apache, Debian, Redhat | 3 Tomcat Jk Connector, Debian Linux, Jboss Core Services | 2024-08-05 | N/A |
| The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical. | ||||
| CVE-2018-11495 | 1 Opencart | 1 Opencart | 2024-08-05 | N/A |
| OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in admin\model\catalog\download.php via admin/index.php?route=catalog/download/edit, related to the download_id. For example, an attacker can download ../../config.php. | ||||
| CVE-2018-11543 | 1 Ribboncommunications | 6 Sbc Swe Lite, Sbc Swe Lite Firmware, Sonus Sbc 1000 and 3 more | 2024-08-05 | N/A |
| A Local File Inclusion (LFI) vulnerability in the Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface allows for the downloading of arbitrary files via an unspecified vector. It affects the 1000 and 2000 devices 6.0.x up to Build 446, 6.1.x up to Build 492, and 7.0.x up to Build 485. It affects the SWe Lite devices 6.1.x up to Build 111 and 7.0.x up to Build 140. | ||||
| CVE-2018-11494 | 1 Opencart | 1 Opencart | 2024-08-05 | N/A |
| The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remove) that allows attackers to execute arbitrary code if the remove step is skipped, because the attacker can discover a secret temporary directory name (containing 10 random digits) via a directory traversal attack involving language_info['code']. | ||||
| CVE-2018-11455 | 1 Siemens | 1 Automation License Manager | 2024-08-05 | N/A |
| A vulnerability has been identified in Automation License Manager 5 (All versions < 5.3.4.4), Automation License Manager 6 (All versions < 6.0.1). A directory traversal vulnerability could allow a remote attacker to move arbitrary files, which can result in code execution, compromising confidentiality, integrity and availability of the system. Successful exploitation requires a network connection to the affected device. The attacker does not need privileges or special conditions of the system, but user interaction is required. | ||||
| CVE-2018-11413 | 1 Bearadmin Project | 1 Bearadmin | 2024-08-05 | N/A |
| An issue was discovered in BearAdmin 0.5. Remote attackers can download arbitrary files via /admin/databack/download.html?name= directory traversal sequences, as demonstrated by name=../application/database.php to read the MySQL credentials in the configuration. | ||||
| CVE-2018-11341 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-08-05 | N/A |
| Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to navigate the file system via the filename parameter. | ||||
| CVE-2018-11344 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-08-05 | N/A |
| A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a file on the system to download via the file1 parameter. | ||||
| CVE-2018-11319 | 2 Debian, Syntastic Project | 2 Debian Linux, Syntastic | 2024-08-05 | N/A |
| Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to a directory that is a parent of the base directory of the project being checked. NOTE: exploitation is more difficult after 3.8.0 because filename prediction may be needed. | ||||
| CVE-2018-11342 | 1 Asustor | 2 As6202t, As6202t Firmware | 2024-08-05 | N/A |
| A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows attackers to arbitrarily specify a path to a file on the system to create folders via the dest_folder parameter. | ||||
| CVE-2018-11248 | 1 Liulishuo | 1 Filedownloader | 2024-08-05 | N/A |
| util/FileDownloadUtils.java in FileDownloader 1.7.3 does not check an attachment's name. If an attacker places "../" in the file name, the file can be stored in an unintended directory because of Directory Traversal. | ||||
| CVE-2018-11235 | 5 Canonical, Debian, Git-scm and 2 more | 10 Ubuntu Linux, Debian Linux, Git and 7 more | 2024-08-05 | N/A |
| In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. | ||||
| CVE-2018-11137 | 1 Quest | 1 Kace System Management Appliance | 2024-08-05 | N/A |
| The 'checksum' parameter of the '/common/download_attachment.php' script in the Quest KACE System Management Appliance 8.0.318 can be abused to read arbitrary files with 'www' privileges via Directory Traversal. No administrator privileges are needed to execute this script. | ||||