| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds. |
| Path traversal vulnerability in SHIRASAGI prior to v1.18.0 allows a remote authenticated attacker to alter or create arbitrary files on the server, resulting in arbitrary code execution. |
| The Watchkit has a risk of unauthorized file access.Successful exploitation of this vulnerability may affect confidentiality and integrity. |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. |
| A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network.
We have already fixed the vulnerability in the following versions:
Music Station 4.8.11 and later
Music Station 5.1.16 and later
Music Station 5.3.23 and later
|
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Shop allows PHP Local File Inclusion.This issue affects Phlox Shop: from n/a through 2.0.0. |
| webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability. |
| An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file. |
| An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file. |
| An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry. |
| Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component. |
| A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive. |
| A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. |
| The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'. |
| Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite.
The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted. |
| Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint `/knowage/restful-services/dossier/importTemplateFile` allows authenticated users to upload `template file` on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to `/knowageqbeengine/foo.jsp` to gain code execution on the server. By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the `knowageqbeengine` directory and gain code execution capability on the server. This issue has been patched in Knowage version 8.1.8. |
| cypress-image-snapshot shows visual regressions in Cypress with jest-image-snapshot. Prior to version 8.0.2, it's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. This issue has been patched in version 8.0.2.
|
| A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. |
