Total
6517 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-28187 | 1 Terra-master | 1 Tos | 2024-08-04 | 9.8 Critical |
| Multiple directory traversal vulnerabilities in TerraMaster TOS <= 4.2.06 allow remote authenticated attackers to read, edit or delete any file within the filesystem via the (1) filename parameter to /tos/index.php?editor/fileGet, Event parameter to /include/ajax/logtable.php, or opt parameter to /include/core/index.php. | ||||
| CVE-2020-27993 | 1 Hrsale | 1 Hrsale | 2024-08-04 | 5.3 Medium |
| Hrsale 2.0.0 allows download?type=files&filename=../ directory traversal to read arbitrary files. | ||||
| CVE-2020-27994 | 1 Solarwinds | 1 Serv-u | 2024-08-04 | 6.5 Medium |
| SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal. | ||||
| CVE-2020-27896 | 1 Apple | 2 Mac Os X, Macos | 2024-08-04 | 5.5 Medium |
| A path handling issue was addressed with improved validation. This issue is fixed in macOS Big Sur 11.0.1. A remote attacker may be able to modify the file system. | ||||
| CVE-2020-27859 | 1 Nec | 1 Esmpro Manager | 2024-08-04 | 7.5 High |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of NEC ESMPRO Manager 6.42. Authentication is not required to exploit this vulnerability. The specific flaw exists within the GetEuaLogDownloadAction class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-9607. | ||||
| CVE-2020-27870 | 1 Solarwinds | 1 Orion Platform | 2024-08-04 | 6.5 Medium |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1. Authentication is required to exploit this vulnerability. The specific flaw exists within ExportToPDF.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11917. | ||||
| CVE-2020-27871 | 1 Solarwinds | 1 Orion Platform | 2024-08-04 | 7.2 High |
| This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within VulnerabilitySettings.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-11902. | ||||
| CVE-2020-27730 | 2 F5, Netapp | 2 Nginx Controller, Cloud Backup | 2024-08-04 | 9.8 Critical |
| In versions 3.0.0-3.9.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller Agent does not use absolute paths when calling system utilities. | ||||
| CVE-2020-27637 | 1 R-project | 1 Cran | 2024-08-04 | 9.8 Critical |
| The R programming language’s default package manager CRAN is affected by a path traversal vulnerability that can lead to server compromise. This vulnerability affects packages installed via the R CMD install cli command or the install.packages() function from the interpreter. Update to version 4.0.3 | ||||
| CVE-2020-27553 | 1 Basetech | 2 Ge-131 Bt-1837836, Ge-131 Bt-1837836 Firmware | 2024-08-04 | 7.5 High |
| In BASETech GE-131 BT-1837836 firmware 20180921, the web-server on the system is configured with the option “DocumentRoot /etc“. This allows an attacker with network access to the web-server to download any files from the “/etc” folder without authentication. No path traversal sequences are needed to exploit this vulnerability. | ||||
| CVE-2020-27534 | 1 Docker | 1 Docker | 2024-08-04 | 5.3 Medium |
| util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call. | ||||
| CVE-2020-27467 | 1 Processwire | 1 Processwire | 2024-08-04 | 7.5 High |
| A Directory Traversal vulnerability exits in Processwire CMS before 2.7.1 via the download parameter to index.php. | ||||
| CVE-2020-27304 | 3 Civetweb Project, Redhat, Siemens | 3 Civetweb, Advanced Cluster Security, Sinec Infrastructure Network Services | 2024-08-04 | 9.8 Critical |
| The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal | ||||
| CVE-2020-27385 | 1 Flexdotnetcms Project | 1 Flexdotnetcms | 2024-08-04 | 8.1 High |
| Incorrect Access Control in the FileEditor (/Admin/Views/FileEditor/) in FlexDotnetCMS before v1.5.11 allows an authenticated remote attacker to read and write to existing files outside the web root. The files can be accessed via directory traversal, i.e., by entering a .. (dot dot) path such as ..\..\..\..\..\<file> in the input field of the FileEditor. In FlexDotnetCMS before v1.5.8, it is also possible to access files by specifying the full path (e.g., C:\<file>). The files can then be edited via the FileEditor. | ||||
| CVE-2020-27160 | 1 Westerndigital | 6 My Cloud Ex4100, My Cloud Expert Series Ex2, My Cloud Firmware and 3 more | 2024-08-04 | 9.8 Critical |
| Addressed remote code execution vulnerability in AvailableApps.php that allowed escalation of privileges in Western Digital My Cloud NAS devices prior to 5.04.114 (issue 3 of 3). | ||||
| CVE-2020-26837 | 1 Sap | 1 Solution Manager | 2024-08-04 | 9.1 Critical |
| SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable. | ||||
| CVE-2020-26806 | 1 Objectplanet | 1 Opinio | 2024-08-04 | 8.8 High |
| admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code. | ||||
| CVE-2020-26650 | 1 Atomx | 1 Atomxcms | 2024-08-04 | 5.3 Medium |
| AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php | ||||
| CVE-2020-26603 | 1 Google | 1 Android | 2024-08-04 | 5.3 Medium |
| An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) software. Sticker Center allows directory traversal for an unprivileged process to read arbitrary files. The Samsung ID is SVE-2020-18433 (October 2020). | ||||
| CVE-2020-26405 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 7.1 High |
| Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. Affected versions are >=12.8, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. | ||||