Total
6552 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-30117 | 1 Concretecms | 1 Concrete Cms | 2024-08-03 | 9.1 Critical |
| Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting. | ||||
| CVE-2022-30058 | 1 Shopwind | 1 Shopwind | 2024-08-03 | 5.3 Medium |
| Shopwind <=v3.4.2 was discovered to contain a Arbitrary File Download vulnerability via the neirong parameter at \backend\controllers\DbController.php. | ||||
| CVE-2022-30059 | 1 Shopwind | 1 Shopwind | 2024-08-03 | 6.5 Medium |
| Shopwind <=v3.4.2 was discovered to contain a Arbitrary File Delete vulnerability via the neirong parameter at \backend\controllers\DbController.php. | ||||
| CVE-2022-30062 | 1 Ftcms | 1 Ftcms | 2024-08-03 | 6.5 Medium |
| ftcms <=2.1 was discovered to be vulnerable to Arbitrary File Read via tp.php | ||||
| CVE-2022-29970 | 3 Debian, Redhat, Sinatrarb | 7 Debian Linux, Enterprise Linux, Rhel E4s and 4 more | 2024-08-03 | 7.5 High |
| Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. | ||||
| CVE-2022-29967 | 1 Glewlwyd Project | 1 Glewlwyd | 2024-08-03 | 7.5 High |
| static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6.2 allows directory traversal. | ||||
| CVE-2022-29844 | 1 Westerndigital | 16 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 13 more | 2024-08-03 | 6.7 Medium |
| A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker. | ||||
| CVE-2022-29804 | 2 Golang, Microsoft | 2 Go, Windows | 2024-08-03 | 7.5 High |
| Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack. | ||||
| CVE-2022-29837 | 1 Westerndigital | 6 My Cloud Home, My Cloud Home Duo, My Cloud Home Duo Firmware and 3 more | 2024-08-03 | 4.7 Medium |
| A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution. | ||||
| CVE-2022-29806 | 1 Zoneminder | 1 Zoneminder | 2024-08-03 | 9.8 Critical |
| ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. | ||||
| CVE-2022-29836 | 1 Westerndigital | 6 My Cloud Home, My Cloud Home Duo, My Cloud Home Duo Firmware and 3 more | 2024-08-03 | 1.9 Low |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Cloud Home; My Cloud Home Duo; and SanDisk ibi devices that could allow an attacker to abuse certain parameters to point to random locations on the file system. This could also allow the attacker to initiate the installation of custom packages at these locations. This can only be exploited once the attacker has been authenticated to the device. This issue affects: Western Digital My Cloud Home and My Cloud Home Duo versions prior to 8.11.0-113 on Linux; SanDisk ibi versions prior to 8.11.0-113 on Linux. | ||||
| CVE-2022-29834 | 1 Iconics | 1 Genesis64 | 2024-08-03 | 7.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS GENESIS64 versions 10.97 to 10.97.1 allows a remote unauthenticated attacker to access to arbitrary files in the GENESIS64 server and disclose information stored in the files by embedding a malicious URL parameter in the URL of the monitoring screen delivered to the GENESIS64 mobile monitoring application and accessing the monitoring screen. | ||||
| CVE-2022-29799 | 1 Microsoft | 1 Windows Defender For Endpoint | 2024-08-03 | 5.5 Medium |
| A vulnerability was found in networkd-dispatcher. This flaw exists because no functions are sanitized by the OperationalState or the AdministrativeState of networkd-dispatcher. This attack leads to a directory traversal to escape from the “/etc/networkd-dispatcher” base directory. | ||||
| CVE-2022-29774 | 1 Ispyconnect | 1 Ispy | 2024-08-03 | 9.8 Critical |
| iSpy v7.2.2.0 is vulnerable to remote command execution via path traversal. | ||||
| CVE-2022-29596 | 1 Microstrategy | 1 Enterprise Manager | 2024-08-03 | 9.8 Critical |
| MicroStrategy Enterprise Manager 2022 allows authentication bypass by triggering a login failure and then entering the Uid=/../../../../../../../../../../../windows/win.ini%00.jpg&Pwd=_any_password_&ConnMode=1&3054=Login substring for directory traversal. | ||||
| CVE-2022-29597 | 1 Solutions-atlantic | 1 Regulatory Reporting System | 2024-08-03 | 6.5 Medium |
| Solutions Atlantic Regulatory Reporting System (RRS) v500 is vulnerable to Local File Inclusion (LFI). Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the file contents of the internal system file requested. This ability could allow for adversaries to extract sensitive data and/or files from the underlying file system, gain knowledge about the internal workings of the system, or access source code of the application. | ||||
| CVE-2022-29580 | 1 Google | 1 Google Search | 2024-08-03 | 8.9 High |
| There exists a path traversal vulnerability in the Android Google Search app. This is caused by the incorrect usage of uri.getLastPathSegment. A symbolic encoded string can bypass the path logic to get access to unintended directories. An attacker can manipulate paths that could lead to code execution on the device. We recommend upgrading beyond version 13.41 | ||||
| CVE-2022-29509 | 1 Tandd | 3 T\&d Server, Thermo Recorder Data Server, Thermo Recorder Data Server Firmware | 2024-08-03 | 7.5 High |
| Directory traversal vulnerability in T&D Data Server (Japanese Edition) Ver.2.22 and earlier, T&D Data Server (English Edition) Ver.2.30 and earlier, THERMO RECORDER DATA SERVER (Japanese Edition) Ver.2.13 and earlier, and THERMO RECORDER DATA SERVER (English Edition) Ver.2.13 and earlier allows a remote attacker to view an arbitrary file on the server via unspecified vectors. | ||||
| CVE-2022-29464 | 1 Wso2 | 8 Api Manager, Enterprise Integrator, Identity Server and 5 more | 2024-08-03 | 9.8 Critical |
| Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0 up to 5.11.0, WSO2 Enterprise Integrator 6.2.0 up to 6.6.0, WSO2 Open Banking AM 1.4.0 up to 2.0.0 and WSO2 Open Banking KM 1.4.0, up to 2.0.0. | ||||
| CVE-2022-29332 | 1 Dlink | 2 Dir-825, Dir-825 Firmware | 2024-08-03 | 6.5 Medium |
| D-LINK DIR-825 AC1200 R2 is vulnerable to Directory Traversal. An attacker could use the "../../../../" setting of the FTP server folder to set the router's root folder for FTP access. This allows you to access the entire router file system via the FTP server. | ||||