CVE-2014-125033

Path Traversal: '../filedir' (CWE-24)

Published: Jan 2, 2023 / Updated: 22mo ago

010
CVSS 7.5EPSS 0.06%High
CVE info copied to clipboard

A vulnerability was found in rails-cv-app. It has been rated as problematic. Affected by this issue is some unknown functionality of the file app/controllers/uploaded_files_controller.rb. The manipulation with the input ../../../etc/passwd leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. The patch is identified as 0d20362af0a5f8a126f67c77833868908484a863. It is recommended to apply a patch to fix this issue. VDB-217178 is the identifier assigned to this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

EPSS

EPSS Score was set to: 0.06% (Percentile: 26.7%)

Oct 20, 2023 at 6:20 AM
First Article

Feedly found the first article mentioning CVE-2014-125033. See article

Mar 8, 2024 at 6:07 PM / Recent Commits to cve:main

Affected Systems

Rails-cv-app_project/rails-cv-app
+null more

Patches

github.com
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

References

Vulnerability Summary for the Week of January 2, 2023
Original release date: January 9, 2023 Last revised: January 10, 2023 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info synology -- vpn_plus_server Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors. 2023-01-03 10 CVE-2022-43931 MISC printer_project -- printer A vulnerability was found in Exciting Printer and classified as critical. This issue affects some unknown processing of the file lib/printer/jobs/prepare_page.rb of the component Argument Handler. The manipulation of the argument URL leads to command injection. The name of the patch is 5f8c715d6e2cc000f621a6833f0a86a673462136. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217139.

News

Update Sat Oct 5 14:31:48 UTC 2024
Update Sat Oct 5 14:31:48 UTC 2024
Update Fri Mar 8 18:06:37 UTC 2024
Update Fri Mar 8 18:06:37 UTC 2024
US-CERT Bulletin (SB23-009):Vulnerability Summary for the Week of January 2, 2023
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of January 2, 2023
cyradm — web-cyradm A vulnerability classified as problematic has been found in web-cyradm. This affects an unknown part of the file search.php. The manipulation of the argument searchstring leads to sql injection. It is recommended to apply a patch to fix this issue. The identifier VDB-217449 was assigned to this vulnerability. 2023-01-05 not yet calculated CVE-2007-10001 MISC MISC MISC titlelink — titlelink A vulnerability classified as critical was found in gesellix titlelink. Affected by this vulnerability is an unknown functionality of the file plugin_content_title.php. The manipulation of the argument phrase leads to sql injection. The name of the patch is b4604e523853965fa981a4e79aef4b554a535db0. It is recommended to apply a patch to fix this issue.
Vulnerability Summary for the Week of January 2, 2023
Original release date: January 9, 2023 Last revised: January 10, 2023 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info synology -- vpn_plus_server Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors. 2023-01-03 10 CVE-2022-43931 MISC printer_project -- printer A vulnerability was found in Exciting Printer and classified as critical. This issue affects some unknown processing of the file lib/printer/jobs/prepare_page.rb of the component Argument Handler. The manipulation of the argument URL leads to command injection. The name of the patch is 5f8c715d6e2cc000f621a6833f0a86a673462136. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217139.
See 13 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI