Total
273 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-5284 | 1 Zeit | 1 Next.js | 2024-11-21 | 4.4 Medium |
| Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. | ||||
| CVE-2020-5280 | 1 Typelevel | 1 Http4s | 2024-11-21 | 7.6 High |
| http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported. | ||||
| CVE-2020-5237 | 1 1up | 1 Oneupuploaderbundle | 2024-11-21 | 8.8 High |
| Multiple relative path traversal vulnerabilities in the oneup/uploader-bundle before 1.9.3 and 2.1.5 allow remote attackers to upload, copy, and modify files on the filesystem (potentially leading to arbitrary code execution) via the (1) filename parameter to BlueimpController.php; the (2) dzchunkindex, (3) dzuuid, or (4) filename parameter to DropzoneController.php; the (5) qqpartindex, (6) qqfilename, or (7) qquuid parameter to FineUploaderController.php; the (8) x-file-id or (9) x-file-name parameter to MooUploadController.php; or the (10) name or (11) chunk parameter to PluploadController.php. This is fixed in versions 1.9.3 and 2.1.5. | ||||
| CVE-2020-4039 | 1 Fossasia | 1 Susi.ai | 2024-11-21 | 8.6 High |
| SUSI.AI is an intelligent Open Source personal assistant. SUSI.AI Server before version d27ed0f has a directory traversal vulnerability due to insufficient input validation. Any admin config and file readable by the app can be retrieved by the attacker. Furthermore, some files can also be moved or deleted. | ||||
| CVE-2020-3597 | 1 Cisco | 1 Nexus Data Broker | 2024-11-21 | 5.4 Medium |
| A vulnerability in the configuration restore feature of Cisco Nexus Data Broker software could allow an unauthenticated, remote attacker to perform a directory traversal attack on an affected device. The vulnerability is due to insufficient validation of configuration backup files. An attacker could exploit this vulnerability by persuading an administrator to restore a crafted configuration backup file. A successful exploit could allow the attacker to overwrite arbitrary files that are accessible through the affected software on an affected device. | ||||
| CVE-2020-27304 | 3 Civetweb Project, Redhat, Siemens | 3 Civetweb, Advanced Cluster Security, Sinec Infrastructure Network Services | 2024-11-21 | 9.8 Critical |
| The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal | ||||
| CVE-2020-25172 | 1 Bbraun | 1 Onlinesuite Application Package | 2024-11-21 | 9.8 Critical |
| A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files. | ||||
| CVE-2020-1904 | 1 Whatsapp | 2 Whatsapp, Whatsapp Business | 2024-11-21 | 5.5 Medium |
| A path validation issue in WhatsApp for iOS prior to v2.20.61 and WhatsApp Business for iOS prior to v2.20.61 could have allowed for directory traversal overwriting files when sending specially crafted docx, xlsx, and pptx files as attachments to messages. | ||||
| CVE-2020-12026 | 1 Advantech | 1 Webaccess | 2024-11-21 | 8.8 High |
| Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. | ||||
| CVE-2020-12010 | 1 Advantech | 1 Webaccess | 2024-11-21 | 7.1 High |
| Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow an authenticated user to use a specially crafted file to delete files outside the application’s control. | ||||
| CVE-2020-12006 | 1 Advantech | 1 Webaccess | 2024-11-21 | 9.8 Critical |
| Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. | ||||
| CVE-2020-10631 | 1 Advantech | 1 Webaccess\/nms | 2024-11-21 | 9.8 Critical |
| An attacker could use a specially crafted URL to delete or read files outside the WebAccess/NMS's (versions prior to 3.0.2) control. | ||||
| CVE-2020-10619 | 1 Advantech | 1 Webaccess\/nms | 2024-11-21 | 9.1 Critical |
| An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) control. | ||||
| CVE-2019-3976 | 1 Mikrotik | 1 Routeros | 2024-11-21 | 8.8 High |
| RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary directory creation vulnerability via the upgrade package's name field. If an authenticated user installs a malicious package then a directory could be created and the developer shell could be enabled. | ||||
| CVE-2019-3943 | 1 Mikrotik | 1 Routeros | 2024-11-21 | 8.1 High |
| MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are vulnerable to an authenticated, remote directory traversal via the HTTP or Winbox interfaces. An authenticated, remote attack can use this vulnerability to read and write files outside of the sandbox directory (/rw/disk). | ||||
| CVE-2019-19287 | 1 Siemens | 1 Xhq | 2024-11-21 | 6.5 Medium |
| A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow attackers to traverse through the file system of the server based by sending specially crafted packets over the network without authentication. | ||||
| CVE-2019-18338 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-11-21 | 7.7 High |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The Control Center Server (CCS) contains a directory traversal vulnerability in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker with network access to the CCS server could exploit this vulnerability to list arbitrary directories or read files outside of the CCS application context. | ||||
| CVE-2019-17640 | 1 Eclipse | 1 Vert.x | 2024-11-21 | 9.8 Critical |
| In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the current working directory. | ||||
| CVE-2019-13944 | 1 Siemens | 6 En100 Ethernet Module, En100 Ethernet Module With Firmware Variant Dnp3 Tcp, En100 Ethernet Module With Firmware Variant Iec104 and 3 more | 2024-11-21 | 5.3 Medium |
| A vulnerability has been identified in EN100 Ethernet module DNP3 variant (All versions), EN100 Ethernet module IEC 61850 variant (All versions < V4.37), EN100 Ethernet module IEC104 variant (All versions), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module PROFINET IO variant (All versions). A vulnerability in the integrated web server of the affected devices could allow unauthorized attackers to obtain sensitive information about the device, including logs and configurations. At the time of advisory publication no public exploitation of this security vulnerability was known. | ||||
| CVE-2019-13408 | 2 Androvideo, Geovision | 6 Vd 1, Vd 1 Firmware, Gv-vd8700 and 3 more | 2024-11-21 | 7.5 High |
| A relative path traversal vulnerability found in Advan VD-1 firmware versions up to 230. It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication. | ||||