Total
7108 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24869 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BoldGrid Total Upkeep allows Relative Path Traversal.This issue affects Total Upkeep: from n/a through 1.15.8. | |||||
| CVE-2024-24756 | 1 Crafatar | 1 Crafatar | 2024-11-21 | N/A | 7.5 HIGH |
| Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5. | |||||
| CVE-2024-24591 | 1 Clear | 1 Clearml | 2024-11-21 | N/A | 8.0 HIGH |
| A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform enables a maliciously uploaded dataset to write local or remote files to an arbitrary location on an end user’s system when interacted with. | |||||
| CVE-2024-24579 | 1 Anchore | 1 Stereoscope | 2024-11-21 | N/A | 5.3 MEDIUM |
| stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope. | |||||
| CVE-2024-24569 | 1 Pixee | 1 Java Code Security Toolkit | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code. `ZipSecurity#isBelowCurrentDirectory` is vulnerable to a partial-path traversal bypass. To be vulnerable to the bypass, the application must use toolkit version <=1.1.1, use ZipSecurity as a guard against path traversal, and have an exploit path. Although the control still protects attackers from escaping the application path into higher level directories (e.g., /etc/), it will allow "escaping" into sibling paths. For example, if your running path is /my/app/path you an attacker could navigate into /my/app/path-something-else. This vulnerability is patched in 1.1.2. | |||||
| CVE-2024-24565 | 1 Cratedb | 1 Cratedb | 2024-11-21 | N/A | 5.7 MEDIUM |
| CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1. | |||||
| CVE-2024-24482 | 2 Apktool, Microsoft | 2 Apktool, Windows | 2024-11-21 | N/A | 9.8 CRITICAL |
| Aprktool before 2.9.3 on Windows allows ../ and /.. directory traversal. | |||||
| CVE-2024-24398 | 1 Stimulsoft | 1 Dashboards.php | 2024-11-21 | N/A | 9.8 CRITICAL |
| Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the fileName parameter of the Save function. | |||||
| CVE-2024-24320 | 1 Mgt-commerce | 1 Cloudpanel | 2024-11-21 | N/A | 8.8 HIGH |
| Directory Traversal vulnerability in Mgt-commerce CloudPanel v.2.0.0 thru v.2.4.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the service parameter of the load-logfiles function. | |||||
| CVE-2024-24311 | 1 Lineagrafica | 1 Multilingual And Multistore Sitemap Pro | 2024-11-21 | N/A | 7.5 HIGH |
| Path Traversal vulnerability in Linea Grafica "Multilingual and Multistore Sitemap Pro - SEO" (lgsitemaps) module for PrestaShop before version 1.6.6, a guest can download personal information without restriction. | |||||
| CVE-2024-24307 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Path Traversal vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows a remote attacker to escalate privileges and obtain sensitive information via the ajaxProcessCropImage() method. | |||||
| CVE-2024-24122 | 1 Wondershare | 1 Edraw | 2024-11-21 | N/A | 3.3 LOW |
| A remote code execution vulnerability in the project management of Wanxing Technology's Yitu project which allows an attacker to use the exp.adpx file as a zip compressed file to construct a special file name, which can be used to decompress the project file into the system startup folder, restart the system, and automatically execute the constructed attack script. | |||||
| CVE-2024-24043 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
| Directory Traversal vulnerability in Speedy11CZ MCRPX v.1.4.0 and before allows a local attacker to execute arbitrary code via a crafted file. | |||||
| CVE-2024-24042 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Directory Traversal vulnerability in Devan-Kerman ARRP v.0.8.1 and before allows a remote attacker to execute arbitrary code via the dumpDirect in RuntimeResourcePackImpl component. | |||||
| CVE-2024-23946 | 1 Apache | 1 Ofbiz | 2024-11-21 | N/A | 5.3 MEDIUM |
| Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | |||||
| CVE-2024-23833 | 1 Openrefine | 1 Openrefine | 2024-11-21 | N/A | 7.5 HIGH |
| OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-23827 | 1 Nginxui | 1 Nginx Ui | 2024-11-21 | N/A | 9.8 CRITICAL |
| Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue. | |||||
| CVE-2024-23822 | 1 Thruk | 1 Thruk | 2024-11-21 | N/A | 5.4 MEDIUM |
| Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue. | |||||
| CVE-2024-23793 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts. This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | |||||
| CVE-2024-23774 | 2024-11-21 | N/A | 7.8 HIGH | ||
| An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An unquoted Windows search path vulnerability exists in the KSchedulerSvc.exe and AMPTools.exe components. This allows local attackers to execute code of their choice with NT Authority\SYSTEM privileges. | |||||