CVE ID | CVSS | Vendor | Exploit | Patch | Trends |
---|---|---|---|---|---|
CVE-2024-7608An authenticated user can download sensitive files from Trellix products NX, EX, FX, AX, IVX, and CMS using path traversal for the URL of network anomaly download_artifact. | CVSS 5.9 | Trellix | - | - | |
CVE-2024-52390: Path Traversal: '.../...//' vulnerability in CYAN Backup allows Path Traversal.This issue affects CYAN Backup: from n/a through 2.5.3. | CVSS 4.9 | Wordpress | - | - | |
CVE-2024-51582Path Traversal: '.../...//' vulnerability in ThimPress WP Hotel Booking allows PHP Local File Inclusion.This issue affects WP Hotel Booking: from n/a through 2.1.4. | CVSS 8.8 | Thimpress | - | - | |
CVE-2024-49770`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue. | CVSS MEDIUM | - | Patched | ||
CVE-2024-49258Path Traversal: '.../...//' vulnerability in Limb WordPress Gallery Plugin – Limb Image Gallery.This issue affects WordPress Gallery Plugin – Limb Image Gallery: from n/a through 1.5.7. | CVSS 6.5 | Wordpress | - | - | |
CVE-2024-47171Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement. This does not affect `agnai.chat`, installations using S3-compatible storage, or self-hosting that is not publicly exposed. Version 1.0.330 fixes this vulnerability. | CVSS 4.3 | - | Patched | ||
CVE-2024-47170Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only. Version 1.0.330 fixes this issue. | CVSS 4.3 | - | Patched | ||
CVE-2024-47169A vulnerability has been discovered in Agnai that permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaScript, enabling the execution of commands within those files. This issue could result in unauthorized access, full server compromise, data leakage, and other critical security threats. This does not affect: agnai.chat
installations using S3-compatible storage
self-hosting that is not publicly exposed
This DOES affect: publicly hosted installs without S3-compatible storage | CVSS 8.8 | - | Patched | ||
CVE-2024-45248Multi-DNC – CWE-35: Path Traversal: '.../...//' | CVSS 7.5 | Centos | - | - | |
CVE-2024-45190Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Pipeline Interaction" request | CVSS 6.5 | Mage | - | Patched | |
CVE-2024-41973A low privileged remote attacker can specify an arbitrary file on the filesystem which may lead to an arbitrary file writes with root privileges. | CVSS 8.1 | Oracle | - | - | |
CVE-2024-41972A low privileged remote attacker can overwrite an arbitrary file on the filesystem which may lead to an arbitrary file read with root privileges. | CVSS 6.5 | Apache | - | - | |
CVE-2024-40505**UNSUPPORTED WHEN ASSIGNED** Directory Traversal vulnerability in D-Link DAP-1650 Firmware v.1.03 allows a local attacker to escalate privileges via the hedwig.cgi component. | CVSS 9.3 | Dlink | - | - | |
CVE-2024-39171Directory Travel in PHPVibe v11.0.46 due to incomplete blacklist checksums and directory checks, which can lead to code execution via writing specific statements to .htaccess and code to a file with a .png suffix. | CVSS 9.8 | Phpvibe | Exploit | - | |
CVE-2024-36991In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows. | CVSS 7.5 | Splunk | Exploit | Patched | |
CVE-2024-34191htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the delete_post() function at admin.php. This vulnerability allows attackers to delete arbitrary files via a crafted request. | CVSS 6.5 | Htmly | - | - | |
CVE-2024-2863This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant. | CVSS 5.3 | - | - | ||
CVE-2024-27901SAP Asset Accounting could allow a high privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file API's. Thus, causing a considerable impact on confidentiality, integrity and availability of the application.
| CVSS 7.2 | - | - | ||
CVE-2024-1886
This vulnerability allows remote attackers to traverse the directory on the affected webOS of LG Signage TV.
| CVSS 3 | - | - | ||
CVE-2024-11136The default TCL Camera application exposes a provider vulnerable to path traversal vulnerability. Malicious application can supply malicious URI path and delete arbitrary files from user’s external storage. | CVSS Low | Tcl | - | - | |
CVE-2024-0113NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation of privileges and information disclosure. | CVSS 8.8 | Nvidia | Exploit | Patched | |
CVE-2024-0067Marinus Pfund, member of the AXIS OS Bug Bounty Program,
has found the VAPIX API ledlimit.cgi was vulnerable for path traversal attacks allowing to list folder/file names on the local file system of the Axis device.
Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. | CVSS 4.3 | Axis | - | - | |
CVE-2023-6252Path traversal vulnerability in Chalemelon Power framework, affecting the getImage parameter. This vulnerability could allow a remote user to read files located on the server and gain access to sensitive information such as configuration files. | CVSS 7.5 | - | - | ||
CVE-2023-5885The discontinued FFS Colibri product allows a remote user to access files on the system including files containing login credentials for other users.
| CVSS 6.5 | Franklinfueling | - | - | |
CVE-2023-5800Vintage,
member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi
did not have a sufficient input validation allowing for a possible remote code
execution. This flaw can only be exploited after authenticating with an
operator- or administrator-privileged service account. Axis has released patched AXIS OS
versions for the highlighted flaw. Please refer to the Axis security advisory
for more information and solution.
| CVSS 8.8 | Axis | - | Patched | |
CVE-2023-47279In Delta Electronics InfraSuite Device Master v.1.0.7, A vulnerability exists that allows an unauthenticated attacker to disclose user information through a single UDP packet, obtain plaintext credentials, or perform NTLM relaying. | CVSS 7.5 | Deltaww | - | - | |
CVE-2023-46690In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an attacker to write to any file to any location of the filesystem, which could lead to remote code execution. | CVSS 8.8 | Deltaww | - | - | |
CVE-2023-43803Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | CVSS 7.1 | Arduino | - | Patched | |
CVE-2023-43802Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/upload` which handles request with the `filename` parameter. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate their privileges to those of the user running the Arduino Create Agent service via a crafted HTTP POST request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | CVSS 7.8 | Arduino | - | Patched | |
CVE-2023-43801Arduino Create Agent is a package to help manage Arduino development. This vulnerability affects the endpoint `/v2/pkgs/tools/installed` and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can delete arbitrary files or folders belonging to the user that runs the Arduino Create Agent via a crafted HTTP DELETE request. This issue has been addressed in version `1.3.3`. Users are advised to upgrade. There are no known workarounds for this issue.
| CVSS 7.1 | Arduino | - | Patched | |
CVE-2023-41793: Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776. | CVSS 6.7 | Pandorafms | - | - | |
CVE-2023-21418Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
| CVSS 7.1 | Axis | - | Patched | |
CVE-2023-21417Sandro Poppi, member of the AXIS OS Bug Bounty Program,
has found that the VAPIX API manageoverlayimage.cgi was vulnerable to path traversal attacks that allows for file/folder deletion. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. The impact of exploiting this vulnerability is lower with operator service accounts and limited to non-system files compared to administrator-privileges.
Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
| CVSS 7.1 | Axis | - | Patched | |
CVE-2023-21416Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi was vulnerable to a Denial-of-Service attack allowing for an attacker to block access to the overlay configuration page in the web interface of the Axis device. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account however the impact is equal. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
| CVSS 6.5 | Axis | - | Patched | |
CVE-2023-21415Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
| CVSS 8.1 | Axis | - | Patched | |
CVE-2022-48476In JetBrains Ktor before 2.3.0 path traversal in the `resolveResource` method was possible
| CVSS 7.5 | Jetbrains | - | Patched | |
CVE-2022-46826In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability. | CVSS 5.5 | Jetbrains | - | Patched | |
CVE-2022-3693Path Traversal vulnerability in Deytek Informatics FileOrbis File Management System allows Path Traversal.This issue affects FileOrbis File Management System: from unspecified before 10.6.3.
| CVSS 7.5 | Fileorbis | - | - | |
CVE-2022-24774CycloneDX BOM Repository Server is a bill of materials (BOM) repository server for distributing CycloneDX BOMs. CycloneDX BOM Repository Server before version 2.0.1 has an improper input validation vulnerability leading to path traversal. A malicious user may potentially exploit this vulnerability to create arbitrary directories or a denial of service by deleting arbitrary directories. The vulnerability is resolved in version 2.0.1. The vulnerability is not exploitable with the default configuration with the post and delete methods disabled. This can be configured by modifying the `appsettings.json` file, or alternatively, setting the environment variables `ALLOWEDMETHODS__POST` and `ALLOWEDMETHODS__DELETE` to `false`. | CVSS 8.1 | Cyclonedx | - | Patched | |
CVE-2022-2265The Identity and Directory Management System developed by Çekino Bilgi Teknolojileri before version 2.1.25 has an unauthenticated Path traversal vulnerability. This has been fixed in the version 2.1.25
| CVSS 7.5 | - | - | ||
CVE-2021-1364Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | CVSS 4.9 | Cisco | - | Patched | |
CVE-2021-1357Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | CVSS 6.5 | Cisco | - | Patched | |
CVE-2021-1355Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | CVSS 6.5 | Cisco | - | Patched | |
CVE-2021-1282Multiple vulnerabilities in Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an attacker to conduct path traversal attacks and SQL injection attacks on an affected system. One of the SQL injection vulnerabilities that affects Unified CM IM&P also affects Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) and could allow an attacker to conduct SQL injection attacks on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. | CVSS 4.9 | Cisco | - | Patched | |
CVE-2021-1132A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data.
This vulnerability exists because the web-management interface and certain HTTP-based APIs do not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | CVSS 5.3 | Cisco | - | - | |
CVE-2020-27130A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to download arbitrary files from the affected device. | CVSS 9.1 | Cisco | - | Patched | |
CVE-2020-26073A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information.
The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | CVSS 7.5 | Cisco | - | - | |
CVE-2018-3744The html-pages node module contains a path traversal vulnerabilities that allows an attacker to read any file from the server with cURL. | CVSS 9.8 | Html-pages project | Exploit | - |