Total
7976 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6831 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | 8.1 High |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. | ||||
| CVE-2023-6753 | 2 Lfprojects, Microsoft | 2 Mlflow, Windows | 2024-11-21 | 8.8 High |
| Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2. | ||||
| CVE-2023-6699 | 1 Wpcompress | 1 Wp Compress | 2024-11-21 | 9.1 Critical |
| The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.10.33 via the css parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2023-6577 | 1 Byzoro | 2 Patrolflow-am-2530pro, Patrolflow-am-2530pro Firmware | 2024-11-21 | 4.3 Medium |
| A vulnerability was found in Byzoro PatrolFlow 2530Pro up to 20231126. It has been rated as problematic. This issue affects some unknown processing of the file /log/mailsendview.php. The manipulation of the argument file with the input /boot/phpConfig/tb_admin.txt leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247157 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-6562 | 1 Kakadusoftware | 1 Kakadu Sdk | 2024-11-21 | 7.5 High |
| JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the attacker. | ||||
| CVE-2023-6559 | 1 Web-soudan | 1 Mw Wp Form | 2024-11-21 | 7.5 High |
| The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. | ||||
| CVE-2023-6458 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | 7.1 High |
| Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | ||||
| CVE-2023-6407 | 2 Microsoft, Schneider-electric | 6 Windows 10 1507, Windows 11 21h2, Windows Server 2016 and 3 more | 2024-11-21 | 5.3 Medium |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker. | ||||
| CVE-2023-6352 | 1 Aquaforest | 1 Tiff Server | 2024-11-21 | 5.3 Medium |
| The default configuration of Aquaforest TIFF Server allows access to arbitrary file paths, subject to any restrictions imposed by Internet Information Services (IIS) or Microsoft Windows. Depending on how a web application uses and configures TIFF Server, a remote attacker may be able to enumerate files or directories, traverse directories, bypass authentication, or access restricted files. | ||||
| CVE-2023-6307 | 1 Jeecg | 1 Jimureport | 2024-11-21 | 6.3 Medium |
| A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246133 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-6265 | 1 Draytek | 2 Vigor2960, Vigor2960 Firmware | 2024-11-21 | 6.5 Medium |
| ** UNSUPPORTED WHEN ASSIGNED ** Draytek Vigor2960 v1.5.1.4 and v1.5.1.5 are vulnerable to directory traversal via the mainfunction.cgi dumpSyslog 'option' parameter allowing an authenticated attacker with access to the web management interface to delete arbitrary files. Vigor2960 is no longer supported. | ||||
| CVE-2023-6252 | 1 Hyphensolutions | 1 Chameleon Power | 2024-11-21 | 7.5 High |
| Path traversal vulnerability in Chalemelon Power framework, affecting the getImage parameter. This vulnerability could allow a remote user to read files located on the server and gain access to sensitive information such as configuration files. | ||||
| CVE-2023-6222 | 1 Quttera | 1 Quttera Web Malware Scanner | 2024-11-21 | 7.2 High |
| IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks | ||||
| CVE-2023-6160 | 1 Lifterlms | 1 Lifterlms | 2024-11-21 | 3.3 Low |
| The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 7.4.2 via the maybe_serve_export function. This makes it possible for authenticated attackers, with administrator or LMS manager access and above, to read the contents of arbitrary CSV files on the server, which can contain sensitive information as well as removing those files from the server. | ||||
| CVE-2023-6032 | 1 Schneider-electric | 4 Galaxy Vl, Galaxy Vl Firmware, Galaxy Vs and 1 more | 2024-11-21 | 5.3 Medium |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause a file system enumeration and file download when an attacker navigates to the Network Management Card via HTTPS. | ||||
| CVE-2023-6026 | 1 Elijaa | 1 Phpmemcachedadmin | 2024-11-21 | 9.8 Critical |
| A Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0. This vulnerability allows an attacker to delete files stored on the server due to lack of proper verification of user-supplied input. | ||||
| CVE-2023-6023 | 1 Vertaai | 1 Modeldb | 2024-11-21 | 7.5 High |
| An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter. | ||||
| CVE-2023-6015 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | 7.5 High |
| MLflow allowed arbitrary files to be PUT onto the server. | ||||
| CVE-2023-5991 | 1 Motopress | 1 Hotel Booking Lite | 2024-11-21 | 9.8 Critical |
| The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server | ||||
| CVE-2023-5938 | 2024-11-21 | 8 High | ||
| Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via 'zip slip' attacks. An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to have arbitrary files extracted to arbitrary filesystem locations. Leveraging this issue, an attacker may be able to overwrite arbitrary files on the target filesystem and cause critical impacts on the system (e.g., arbitrary command execution on the victim’s machine). | ||||