Total
7723 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3387 | 1 Advantech | 1 R-seenet | 2024-11-21 | N/A | 6.5 MEDIUM |
| Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks. An unauthorized attacker could remotely exploit vulnerable PHP code to delete .PDF files. | |||||
| CVE-2022-3361 | 1 Ultimatemember | 1 Ultimate Member | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users. | |||||
| CVE-2022-3184 | 1 Dataprobe | 24 Iboot-pdu4-n20, Iboot-pdu4-n20 Firmware, Iboot-pdu4a-n15 and 21 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| Dataprobe iBoot-PDU FW versions prior to 1.42.06162022 contain a vulnerability where the device’s existing firmware allows unauthenticated users to access an old PHP page vulnerable to directory traversal, which may allow a user to write a file to the webroot directory. | |||||
| CVE-2022-3162 | 1 Kubernetes | 1 Kubernetes | 2024-11-21 | N/A | 6.5 MEDIUM |
| Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group. | |||||
| CVE-2022-3146 | 2 Openstack, Redhat | 3 Tripleo Ansible, Openstack, Openstack For Ibm Power | 2024-11-21 | N/A | 5.5 MEDIUM |
| A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment. | |||||
| CVE-2022-3101 | 2 Openstack, Redhat | 3 Tripleo Ansible, Openstack, Openstack For Ibm Power | 2024-11-21 | N/A | 5.5 MEDIUM |
| A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment. | |||||
| CVE-2022-3090 | 1 Redlion | 1 Crimson | 2024-11-21 | N/A | 7.5 HIGH |
| Red Lion Controls Crimson 3.0 versions 707.000 and prior, Crimson 3.1 versions 3126.001 and prior, and Crimson 3.2 versions 3.2.0044.0 and prior are vulnerable to path traversal. When attempting to open a file using a specific path, the user's password hash is sent to an arbitrary host. This could allow an attacker to obtain user credential hashes. | |||||
| CVE-2022-39858 | 1 Samsung | 1 Factorycamera | 2024-11-21 | N/A | 7.3 HIGH |
| Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to write arbitrary file as FactoryCamera privilege. | |||||
| CVE-2022-39838 | 1 Systematicalpha | 2 Systematic Fix Adapter, Systematic Fix Adapter Firmware | 2024-11-21 | N/A | 8.6 HIGH |
| Systematic FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remote file inclusion via a UNC share pathname, and also allows absolute path traversal to local pathnames. | |||||
| CVE-2022-39802 | 1 Sap | 1 Manufacturing Execution | 2024-11-21 | N/A | 7.5 HIGH |
| SAP Manufacturing Execution - versions 15.1, 15.2, 15.3, allows an attacker to exploit insufficient validation of a file path request parameter. The intended file path can be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory can be read which may lead to information disclosure. | |||||
| CVE-2022-39367 | 1 Qtiworks Project | 1 Qtiworks | 2024-11-21 | N/A | 8.6 HIGH |
| QTIWorks is a software suite for standards-based assessment delivery. Prior to version 1.0-beta15, the QTIWorks Engine allows users to upload QTI content packages as ZIP files. The ZIP handling code does not sufficiently check the paths of files contained within ZIP files, so can insert files into other locations in the filesystem if they are writable by the process running the QTIWorks Engine. In extreme cases, this could allow anonymous users to change files in arbitrary locations in the filesystem. In normal QTIWorks Engine deployments, the impact is somewhat reduced because the default QTIWorks configuration does not enable the public demo functionality, so ZIP files can only be uploaded by users with "instructor" privileges. This vulnerability is fixed in version 1.0-beta15. There are no database configuration changes required when upgrading to this version. No known workarounds for this issue exist. | |||||
| CVE-2022-39345 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2024-11-21 | N/A | 9.8 CRITICAL |
| Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Gin-vue-admin prior to 2.5.4 is vulnerable to path traversal, which leads to file upload vulnerabilities. Version 2.5.4 contains a patch for this issue. There are no workarounds aside from upgrading to a patched version. | |||||
| CVE-2022-39296 | 1 Melistechnology | 1 Melis-asset-manager | 2024-11-21 | N/A | 8.6 HIGH |
| MelisAssetManager provides deliveries of Melis Platform's assets located in every module's public folder. Attackers can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-asset-manager` >= 5.0.1. This issue was addressed by restricting access to files to intended directories only. | |||||
| CVE-2022-39261 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
| Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading. | |||||
| CVE-2022-39221 | 2 Mcwebserver Minecraft Mod For Fabric And Quilt Project, Mcwebserver Minecraft Mod For Forge Project | 2 Mcwebserver Minecraft Mod For Fabric And Quilt, Mcwebserver Minecraft Mod For Forge | 2024-11-21 | N/A | 7.5 HIGH |
| McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the `mods` directory. | |||||
| CVE-2022-39215 | 1 Tauri | 1 Tauri | 2024-11-21 | N/A | 8.3 HIGH |
| Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`. | |||||
| CVE-2022-39210 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | N/A | 3.2 LOW |
| Nextcloud android is the official Android client for the Nextcloud home server platform. Internal paths to the Nextcloud Android app files are not properly protected. As a result access to internal files of the from within the Nextcloud Android app is possible. This may lead to a leak of sensitive information in some cases. It is recommended that the Nextcloud Android app is upgraded to 3.21.0. There are no known workarounds for this issue. | |||||
| CVE-2022-39059 | 1 Changingtec | 1 Megaservisignadapter | 2024-11-21 | N/A | 7.5 HIGH |
| ChangingTech MegaServiSignAdapter component has a path traversal vulnerability within its file reading function. An unauthenticated remote attacker can exploit this vulnerability to access arbitrary system files. | |||||
| CVE-2022-39058 | 1 Changingtec | 1 Rava Certificate Validation System | 2024-11-21 | N/A | 7.5 HIGH |
| RAVA certification validation system has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and access arbitrary system files. | |||||
| CVE-2022-39045 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability. | |||||