Total
6551 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-40734 | 1 Unisharp | 1 Laravel Filemanager | 2024-08-03 | 6.5 Medium |
| UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0. | ||||
| CVE-2022-40444 | 1 Zzcms | 1 Zzcms | 2024-08-03 | 5.3 Medium |
| ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server. | ||||
| CVE-2022-40443 | 1 Zzcms | 1 Zzcms | 2024-08-03 | 5.3 Medium |
| An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php. | ||||
| CVE-2022-40264 | 1 Iconics | 1 Genesis64 | 2024-08-03 | 6.3 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to create, tamper with or destroy arbitrary files by getting a legitimate user import a project package file crafted by the attacker. | ||||
| CVE-2022-40199 | 1 Ec-cube | 1 Ec-cube | 2024-08-03 | 2.7 Low |
| Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information. | ||||
| CVE-2022-40082 | 2 Cloudwego, Microsoft | 2 Hertz, Windows | 2024-08-03 | 7.5 High |
| Hertz v0.3.0 ws discovered to contain a path traversal vulnerability via the normalizePath function. | ||||
| CVE-2022-40123 | 1 Mojoportal | 1 Mojoportal | 2024-08-03 | 6.5 Medium |
| mojoPortal v2.7 was discovered to contain a path traversal vulnerability via the "f" parameter at /DesignTools/CssEditor.aspx. This vulnerability allows authenticated attackers to read arbitrary files in the system. | ||||
| CVE-2022-39838 | 1 Systematicalpha | 2 Systematic Fix Adapter, Systematic Fix Adapter Firmware | 2024-08-03 | 8.6 High |
| Systematic FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remote file inclusion via a UNC share pathname, and also allows absolute path traversal to local pathnames. | ||||
| CVE-2022-39858 | 1 Samsung | 1 Factorycamera | 2024-08-03 | 7.3 High |
| Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to write arbitrary file as FactoryCamera privilege. | ||||
| CVE-2022-39812 | 1 Italtel | 1 Netmatch-s Ci | 2024-08-03 | 7.5 High |
| Italtel NetMatch-S CI 5.2.0-20211008 allows Absolute Path Traversal under NMSCI-WebGui/SaveFileUploader. An unauthenticated user can upload files to an arbitrary path. An attacker can change the uploadDir parameter in a POST request (not possible using the GUI) to an arbitrary directory. Because the application does not check in which directory a file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server. | ||||
| CVE-2022-39802 | 1 Sap | 1 Manufacturing Execution | 2024-08-03 | 7.5 High |
| SAP Manufacturing Execution - versions 15.1, 15.2, 15.3, allows an attacker to exploit insufficient validation of a file path request parameter. The intended file path can be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory can be read which may lead to information disclosure. | ||||
| CVE-2022-39367 | 1 Qtiworks Project | 1 Qtiworks | 2024-08-03 | 8.6 High |
| QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files into other locations in the filesystem if they are writable by the process running the QTIWorks Engine. In extreme cases, this could allow anonymous users to change files in arbitrary locations in the filesystem. In normal QTIWorks Engine deployments, the impact is somewhat reduced because the default QTIWorks configuration does not enable the public demo functionality, so ZIP files can only be uploaded by users with "instructor" privileges. This vulnerability is fixed in version 1.0-beta15. There are no database configuration changes required when upgrading to this version. No known workarounds for this issue exist. | ||||
| CVE-2022-39347 | 3 Fedoraproject, Freerdp, Redhat | 3 Fedora, Freerdp, Enterprise Linux | 2024-08-03 | 2.6 Low |
| FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/drive`, `/drives` or `+home-drive` redirection switch. | ||||
| CVE-2022-39345 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2024-08-03 | 9.8 Critical |
| Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Gin-vue-admin prior to 2.5.4 is vulnerable to path traversal, which leads to file upload vulnerabilities. Version 2.5.4 contains a patch for this issue. There are no workarounds aside from upgrading to a patched version. | ||||
| CVE-2022-39296 | 1 Melistechnology | 1 Melis-asset-manager | 2024-08-03 | 8.6 High |
| MelisAssetManager provides deliveries of Melis Platform's assets located in every module's public folder. Attackers can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-asset-manager` >= 5.0.1. This issue was addressed by restricting access to files to intended directories only. | ||||
| CVE-2022-39261 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-08-03 | 7.5 High |
| Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading. | ||||
| CVE-2022-39221 | 2 Mcwebserver Minecraft Mod For Fabric And Quilt Project, Mcwebserver Minecraft Mod For Forge Project | 2 Mcwebserver Minecraft Mod For Fabric And Quilt, Mcwebserver Minecraft Mod For Forge | 2024-08-03 | 7.5 High |
| McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the `mods` directory. | ||||
| CVE-2022-39210 | 1 Nextcloud | 1 Nextcloud | 2024-08-03 | 3.2 Low |
| Nextcloud android is the official Android client for the Nextcloud home server platform. Internal paths to the Nextcloud Android app files are not properly protected. As a result access to internal files of the from within the Nextcloud Android app is possible. This may lead to a leak of sensitive information in some cases. It is recommended that the Nextcloud Android app is upgraded to 3.21.0. There are no known workarounds for this issue. | ||||
| CVE-2022-39178 | 1 Webvendome Project | 1 Webvendome | 2024-08-03 | 5.3 Medium |
| Webvendome - webvendome Internal Server IP Disclosure. Send GET Request to the request which is shown in the picture. Internal Server IP and Full path disclosure. | ||||
| CVE-2022-39215 | 1 Tauri | 1 Tauri | 2024-08-03 | 8.3 High |
| Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`. | ||||