Total
6516 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-11738 | 1 Snapcreek | 1 Duplicator | 2024-08-04 | 7.5 High |
| The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init. | ||||
| CVE-2020-11736 | 4 Canonical, Debian, Gnome and 1 more | 4 Ubuntu Linux, Debian Linux, File-roller and 1 more | 2024-08-04 | 3.9 Low |
| fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. | ||||
| CVE-2020-11700 | 1 Titanhq | 1 Spamtitan | 2024-08-04 | 6.5 Medium |
| An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter fname, used on the page certs-x.php, would allow an attacker to retrieve the contents of arbitrary files. The user has to be authenticated before interacting with this page. | ||||
| CVE-2020-11705 | 1 Provideserver | 1 Provide Ftp Server | 2024-08-04 | 9.8 Critical |
| An issue was discovered in ProVide (formerly zFTPServer) through 13.1. /ajax/ImportCertificate allows an attacker to load an arbitrary certificate in .pfx format or overwrite arbitrary files via the fileName parameter. | ||||
| CVE-2020-11596 | 1 Cipplanner | 1 Cipace | 2024-08-04 | 7.5 High |
| A Directory Traversal issue was discovered in CIPPlanner CIPAce 9.1 Build 2019092801. An unauthenticated attacker can make HTTP GET requests to a certain URL and obtain information about what files and directories reside on the server. | ||||
| CVE-2020-11652 | 6 Blackberry, Canonical, Debian and 3 more | 6 Workspaces Server, Ubuntu Linux, Debian Linux and 3 more | 2024-08-04 | 6.5 Medium |
| An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. | ||||
| CVE-2020-11531 | 1 Zohocorp | 2 Manageengine Adaudit Plus, Manageengine Datasecurity Plus | 2024-08-04 | 8.8 High |
| The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal. | ||||
| CVE-2020-11498 | 1 Slack | 1 Nebula | 2024-08-04 | 8.8 High |
| Slack Nebula through 1.1.0 contains a relative path vulnerability that allows a low-privileged attacker to execute code in the context of the root user via tun_darwin.go or tun_windows.go. A user can also use Nebula to execute arbitrary code in the user's own context, e.g., for user-level persistence or to bypass security controls. NOTE: the vendor states that this "requires a high degree of access and other preconditions that are tough to achieve." | ||||
| CVE-2020-11491 | 1 Zevenet | 1 Zen Load Balancer | 2024-08-04 | 4.9 Medium |
| Monitoring::Logs in Zen Load Balancer 3.10.1 allows remote authenticated admins to conduct absolute path traversal attacks, as demonstrated by a filelog=/etc/shadow request to index.cgi. | ||||
| CVE-2020-11455 | 1 Limesurvey | 1 Limesurvey | 2024-08-04 | 9.8 Critical |
| LimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/admin/LimeSurveyFileManager.php. | ||||
| CVE-2020-11414 | 1 Telerik | 1 Ui For Silverlight | 2024-08-04 | 7.5 High |
| An issue was discovered in Progress Telerik UI for Silverlight before 2020.1.330. The RadUploadHandler class in RadUpload for Silverlight expects a web request that provides the file location of the uploading file along with a few other parameters. The uploading file location should be inside the directory where the upload handler class is defined. Before 2020.1.330, a crafted web request could result in uploads to arbitrary locations. | ||||
| CVE-2020-11439 | 1 Librehealth | 1 Librehealth Ehr | 2024-08-04 | 8.8 High |
| LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue allowing arbitrary PHP to be included and executed within the EMR application. | ||||
| CVE-2020-11431 | 1 Inetsoftware | 3 Clear Reports, Helpdesk, Pdfc | 2024-08-04 | 9.1 Critical |
| The documentation component in i-net Clear Reports 16.0 to 19.2, HelpDesk 8.0 to 8.3, and PDFC 4.3 to 6.2 allows a remote unauthenticated attacker to read arbitrary system files and directories on the target server via Directory Traversal. | ||||
| CVE-2020-11420 | 2 Abb, Generex | 4 Cs141, Cs141 Firmware, Cs141 and 1 more | 2024-08-04 | 6.5 Medium |
| UPS Adapter CS141 before 1.90 allows Directory Traversal. An attacker with Admin or Engineer login credentials could exploit the vulnerability by manipulating variables that reference files and by doing this achieve access to files and directories outside the web root folder. An attacker may access arbitrary files and directories stored in the file system, but integrity of the files are not jeopardized as attacker have read access rights only. | ||||
| CVE-2020-11073 | 1 Autoswitch Python Virtualenv Project | 1 Autoswitch Python Virtualenv | 2024-08-04 | 7.9 High |
| In Autoswitch Python Virtualenv before version 0.16.0, a user who enters a directory with a malicious `.venv` file could run arbitrary code without any user interaction. This is fixed in version: 1.16.0 | ||||
| CVE-2020-10953 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 7.5 High |
| In GitLab EE 11.7 through 12.9, the NPM feature is vulnerable to a path traversal issue. | ||||
| CVE-2020-10977 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 5.5 Medium |
| GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects. | ||||
| CVE-2020-9353 | 1 Smartclient | 1 Smartclient | 2024-08-04 | 7.5 High |
| An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML element in the _transaction parameter. NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server." | ||||
| CVE-2020-10875 | 1 Zebra | 2 Fx9500, Fx9500 Firmware | 2024-08-04 | 7.5 High |
| Motorola FX9500 devices allow remote attackers to conduct absolute path traversal attacks, as demonstrated by PL/SQL Server Pages files such as /include/viewtagdb.psp. | ||||
| CVE-2020-10859 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-08-04 | 6.5 Medium |
| Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request. | ||||