Total
6537 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-28658 | 4 Debian, Djangoproject, Fedoraproject and 1 more | 6 Debian Linux, Django, Fedora and 3 more | 2024-08-03 | 5.3 Medium |
| In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. | ||||
| CVE-2021-28644 | 3 Adobe, Apple, Microsoft | 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more | 2024-08-03 | 7.8 High |
| Acrobat Reader DC versions 2021.005.20054 (and earlier), 2020.004.30005 (and earlier) and 2017.011.30197 (and earlier) are affected by a Path traversal vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2021-28650 | 3 Fedoraproject, Gnome, Redhat | 3 Fedora, Gnome-autoar, Enterprise Linux | 2024-08-03 | 5.5 Medium |
| autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241. | ||||
| CVE-2021-28377 | 1 Chronoengine | 1 Chronoforums | 2024-08-03 | 5.3 Medium |
| ChronoForums 2.0.11 allows av Directory Traversal to read arbitrary files. | ||||
| CVE-2021-28376 | 1 Chronoengine | 1 Chronoforums | 2024-08-03 | 2.7 Low |
| ChronoForms 7.0.7 allows fname Directory Traversal to read arbitrary files. | ||||
| CVE-2021-28149 | 1 Hongdian | 2 H8922, H8922 Firmware | 2024-08-03 | 6.5 Medium |
| Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file. | ||||
| CVE-2021-28042 | 1 Deutschepost | 1 Mailoptimizer | 2024-08-03 | 7.8 High |
| Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution. | ||||
| CVE-2021-27825 | 1 Mercurycom | 2 Mac1200r, Mac1200r Firmware | 2024-08-03 | 7.5 High |
| A directory traversal vulnerability on Mercury MAC1200R devices allows attackers to read arbitrary files via a web-static/ URL. | ||||
| CVE-2021-27753 | 1 Hcltech | 1 Hcl Sametime | 2024-08-03 | 5.5 Medium |
| "Sametime Android PathTraversal Vulnerability" | ||||
| CVE-2021-27755 | 1 Hcltech | 1 Hcl Sametime | 2024-08-03 | 5.5 Medium |
| "Sametime Android potential path traversal vulnerability when using File class" | ||||
| CVE-2021-27473 | 1 Rockwellautomation | 1 Connected Components Workbench | 2024-08-03 | 6.1 Medium |
| Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful. | ||||
| CVE-2021-27471 | 1 Rockwellautomation | 1 Connected Components Workbench | 2024-08-03 | 7.7 High |
| The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful. | ||||
| CVE-2021-27461 | 1 Emerson | 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more | 2024-08-03 | 7.5 High |
| A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected webserver applications allow access to stored data that can be obtained by using specially crafted URLs. | ||||
| CVE-2021-27402 | 1 Mitel | 1 Micollab | 2024-08-03 | 6.5 Medium |
| The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL validation, aka Directory Traversal. | ||||
| CVE-2021-27341 | 1 Os4ed | 1 Opensis | 2024-08-03 | 9.8 Critical |
| OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter. | ||||
| CVE-2021-27367 | 1 Boltcms | 1 Bolt | 2024-08-03 | 7.5 High |
| Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal. | ||||
| CVE-2021-27328 | 1 Yeastar | 2 Neogate Tg400, Neogate Tg400 Firmware | 2024-08-03 | 6.5 Medium |
| Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key. | ||||
| CVE-2021-27278 | 1 Parallels | 1 Parallels Desktop | 2024-08-03 | 8.2 High |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.1-49141. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the current user on the host system. Was ZDI-CAN-12130. | ||||
| CVE-2021-27275 | 1 Netgear | 1 Prosafe Network Management System | 2024-08-03 | 8.3 High |
| This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-12125. | ||||
| CVE-2021-27276 | 1 Netgear | 1 Prosafe Network Management System | 2024-08-03 | 7.1 High |
| This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MibController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12122. | ||||