Total
6500 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-9205 | 1 Drupal | 1 Avatar Uploader | 2024-08-05 | N/A |
| Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php doesn't verify users or sanitize the file path. | ||||
| CVE-2018-9117 | 1 Wiremock | 1 Wiremock | 2024-08-05 | N/A |
| WireMock before 2.16.0 contains a vulnerability that allows a remote unauthenticated attacker to access local files beyond the application directory via a specially crafted XML request, aka Directory Traversal. | ||||
| CVE-2018-9109 | 1 Std42 | 1 Elfinder | 2024-08-05 | 9.1 Critical |
| Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process. | ||||
| CVE-2018-9159 | 2 Redhat, Sparkjava | 3 Jboss Amq, Jboss Fuse, Spark | 2024-08-05 | N/A |
| In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark. | ||||
| CVE-2018-9110 | 1 Std42 | 1 Elfinder | 2024-08-05 | 9.1 Critical |
| Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process. NOTE: this issue exists because of an incomplete fix for CVE-2018-9109. | ||||
| CVE-2018-9118 | 1 99robots | 1 Wp Background Takeover Advertisements | 2024-08-05 | N/A |
| exports/download.php in the 99 Robots WP Background Takeover Advertisements plugin before 4.1.5 for WordPress has Directory Traversal via a .. in the filename parameter. | ||||
| CVE-2018-9074 | 1 Lenovo | 22 Iomega Ez Media \& Backup Center, Iomega Storcenter Ix2, Iomega Storcenter Ix2-dl and 19 more | 2024-08-05 | N/A |
| For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the file upload functionality of the Content Explorer application is vulnerable to path traversal. As a result, users can upload files anywhere on the device's operating system as the root user. | ||||
| CVE-2018-7482 | 1 Joomlaworks | 1 K2 | 2024-08-05 | N/A |
| The K2 component 2.8.0 for Joomla! has Incorrect Access Control with directory traversal, allowing an attacker to download arbitrary files, as demonstrated by a view=media&task=connector&cmd=file&target=l1_../configuration.php&download=1 request. The specific pathname ../configuration.php should be base64 encoded for a valid attack. NOTE: the vendor disputes this issue because only files under the media-manager path can be downloaded, and the documentation indicates that sensitive information does not belong there. Nonetheless, 2.8.1 has additional blocking of .php downloads | ||||
| CVE-2018-8968 | 1 Zzcms | 1 Zzcms | 2024-08-05 | 7.5 High |
| An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | ||||
| CVE-2018-9038 | 1 Monstra | 1 Monstra | 2024-08-05 | N/A |
| Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request. | ||||
| CVE-2018-9010 | 1 Intelbras | 4 Tip200, Tip200 Firmware, Tip200lite and 1 more | 2024-08-05 | 7.2 High |
| Intelbras TELEFONE IP TIP200/200 LITE 60.0.75.29 devices allow remote authenticated admins to read arbitrary files via the /cgi-bin/cgiServer.exx page parameter, aka absolute path traversal. In some cases, authentication can be achieved via the admin account with its default admin password. | ||||
| CVE-2018-8965 | 1 Zzcms | 1 Zzcms | 2024-08-05 | 7.5 High |
| An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | ||||
| CVE-2018-8969 | 1 Zzcms | 1 Zzcms | 2024-08-05 | 7.5 High |
| An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | ||||
| CVE-2018-8727 | 1 Mirasys | 1 Dvms Workstation | 2024-08-05 | N/A |
| Path Traversal in Gateway in Mirasys DVMS Workstation 5.12.6 and earlier allows an attacker to traverse the file system to access files or directories via the Web Client webserver. | ||||
| CVE-2018-8778 | 4 Canonical, Debian, Redhat and 1 more | 9 Ubuntu Linux, Debian Linux, Enterprise Linux and 6 more | 2024-08-05 | N/A |
| In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure. | ||||
| CVE-2018-8741 | 2 Debian, Squirrelmail | 2 Debian Linux, Squirrelmail | 2024-08-05 | N/A |
| A directory traversal flaw in SquirrelMail 1.4.22 allows an authenticated attacker to exfiltrate (or potentially delete) files from the hosting server, related to ../ in the att_local_name field in Deliver.class.php. | ||||
| CVE-2018-8780 | 4 Canonical, Debian, Redhat and 1 more | 9 Ubuntu Linux, Debian Linux, Enterprise Linux and 6 more | 2024-08-05 | N/A |
| In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional directory traversal may be performed. | ||||
| CVE-2018-8495 | 1 Microsoft | 2 Windows 10, Windows Server 2016 | 2024-08-05 | N/A |
| A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. | ||||
| CVE-2018-8009 | 2 Apache, Redhat | 2 Hadoop, Jboss Fuse | 2024-08-05 | N/A |
| Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file. | ||||
| CVE-2018-7933 | 1 Huawei | 4 Hirouter-cd20, Hirouter-cd20 Firmware, Ws5200 and 1 more | 2024-08-05 | N/A |
| Huawei home gateway products HiRouter-CD20 and WS5200 with the versions before HiRouter-CD20-10 1.9.6 and the versions before WS5200-10 1.9.6 have a path traversal vulnerability. Due to the lack of validation while these home gateway products install APK plugins, an attacker tricks a user into installing a malicious APK plugin, and plugin can overwrite arbitrary file of devices. Successful exploit may result in arbitrary code execution or privilege escalation. | ||||