Total
6651 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-30620 | 1 Mindsdb | 1 Mindsdb | 2024-08-02 | 7.5 High |
| mindsdb is a Machine Learning platform to help developers build AI solutions. In affected versions an unsafe extraction is being performed using `tarfile.extractall()` from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. Sometimes, the vulnerability is called a TarSlip or a ZipSlip variant. An attacker may leverage this vulnerability to overwrite any local file which the server process has access to. There is no risk of file exposure with this vulnerability. This issue has been addressed in release `23.2.1.0 `. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-30548 | 1 Gatsbyjs | 1 Gatsby | 2024-08-02 | 4.3 Medium |
| gatsby-plugin-sharp is a plugin for the gatsby framework which exposes functions built on the Sharp image processing library. The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gatsby develop server (`gatsby develop`). It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. Attackers exploiting this vulnerability will have read access to all files within the scope of the server process. A patch has been introduced in gatsby-plugin-sharp@5.8.1 and gatsby-plugin-sharp@4.25.1 which mitigates the issue by ensuring that included paths remain within the project directory. As stated above, by default gatsby develop is only exposed to the localhost 127.0.0.1. For those using the develop server in the default configuration no risk is posed. If other ranges are required, preventing the develop server from being exposed to untrusted interfaces or IP address ranges would mitigate the risk from this vulnerability. Users are non the less encouraged to upgrade to a safe version. | ||||
| CVE-2023-30509 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2024-08-02 | 4.9 Medium |
| Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files. | ||||
| CVE-2023-30507 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2024-08-02 | 4.9 Medium |
| Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files. | ||||
| CVE-2023-30508 | 1 Arubanetworks | 1 Edgeconnect Enterprise | 2024-08-02 | 4.9 Medium |
| Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files. | ||||
| CVE-2023-30380 | 1 Dedecms | 1 Dedecms | 2024-08-02 | 7.5 High |
| An issue in the component /dialog/select_media.php of DedeCMS v5.7.107 allows attackers to execute a directory traversal. | ||||
| CVE-2023-30451 | 1 Typo3 | 1 Typo3 | 2024-08-02 | 4.9 Medium |
| In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]. | ||||
| CVE-2023-30198 | 1 Webbax | 1 Winbizpayment | 2024-08-02 | 7.5 High |
| Prestashop winbizpayment <= 1.0.2 is vulnerable to Incorrect Access Control via modules/winbizpayment/downloads/download.php. | ||||
| CVE-2023-30197 | 1 Webbax | 1 Myinventory | 2024-08-02 | 7.5 High |
| Incorrect Access Control in the module "My inventory" (myinventory) <= 1.6.6 from Webbax for PrestaShop, allows a guest to download personal information without restriction by performing a path traversal attack. | ||||
| CVE-2023-30196 | 1 Webbax | 1 Salesbooster | 2024-08-02 | 7.5 High |
| Prestashop salesbooster <= 1.10.4 is vulnerable to Incorrect Access Control via modules/salesbooster/downloads/download.php. | ||||
| CVE-2023-30268 | 2 Cltphp, Microsoft | 2 Cltphp, Windows | 2024-08-02 | 9.8 Critical |
| CLTPHP <=6.0 is vulnerable to Improper Input Validation. | ||||
| CVE-2023-30265 | 1 Cltphp | 1 Cltphp | 2024-08-02 | 6.5 Medium |
| CLTPHP <=6.0 is vulnerable to Directory Traversal. | ||||
| CVE-2023-30199 | 1 Webbax | 1 Customexporter | 2024-08-02 | 7.5 High |
| Prestashop customexporter <= 1.7.20 is vulnerable to Incorrect Access Control via modules/customexporter/downloads/download.php. | ||||
| CVE-2023-30172 | 1 Lfprojects | 1 Mlflow | 2024-08-02 | 7.5 High |
| A directory traversal vulnerability in the /get-artifact API method of the mlflow platform up to v2.0.1 allows attackers to read arbitrary files on the server via the path parameter. | ||||
| CVE-2023-29986 | 1 Spring-boot-actuator-logview Project | 1 Spring-boot-actuator-logview | 2024-08-02 | 5.3 Medium |
| spring-boot-actuator-logview 0.2.13 allows Directory Traversal to sibling directories via LogViewEndpoint.view. | ||||
| CVE-2023-29962 | 1 S-cms | 1 S-cms | 2024-08-02 | 6.5 Medium |
| S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability. | ||||
| CVE-2023-29736 | 1 Timmystudios | 1 Keyboard Themes | 2024-08-02 | 9.8 Critical |
| Keyboard Themes 1.275.1.164 for Android contains a dictionary traversal vulnerability that allows unauthorized apps to overwrite arbitrary files in its internal storage and achieve arbitrary code execution. | ||||
| CVE-2023-29887 | 1 Nuovo | 1 Spreadsheet-reader | 2024-08-02 | 7.5 High |
| A Local File inclusion vulnerability in test.php in spreadsheet-reader 0.5.11 allows remote attackers to include arbitrary files via the File parameter. | ||||
| CVE-2023-29502 | 1 Ptc | 1 Vuforia Studio | 2024-08-02 | 6.2 Medium |
| Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json file to be a different path. | ||||
| CVE-2023-29478 | 1 Bibliocraftmod | 1 Bibliocraft | 2024-08-02 | 9.8 Critical |
| BiblioCraft before 2.4.6 does not sanitize path-traversal characters in filenames, allowing restricted write access to almost anywhere on the filesystem. This includes the Minecraft mods folder, which results in code execution. | ||||