Total
7974 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-31505 | 1 Mercadoenlineaback Project | 1 Mercadoenlineaback | 2024-11-21 | 9.3 Critical |
| The cheo0/MercadoEnLineaBack repository through 2022-05-04 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | ||||
| CVE-2022-31504 | 1 Baiduwenkuspider Flaskweb Project | 1 Baiduwenkuspider Flaskweb | 2024-11-21 | 9.3 Critical |
| The ChangeWeDer/BaiduWenkuSpider_flaskWeb repository before 2021-11-29 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | ||||
| CVE-2022-31503 | 1 Orchest | 1 Orchest | 2024-11-21 | 9.3 Critical |
| The orchest/orchest repository before 2022.05.0 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | ||||
| CVE-2022-31502 | 1 Wormnest Project | 1 Wormnest | 2024-11-21 | 9.3 Critical |
| The operatorequals/wormnest repository through 0.4.7 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | ||||
| CVE-2022-31501 | 1 Onyxforum Project | 1 Onyxforum | 2024-11-21 | 9.3 Critical |
| The ChaoticOnyx/OnyxForum repository before 2022-05-04 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. | ||||
| CVE-2022-31483 | 2 Carrier, Hidglobal | 28 Lenels2 Lnl-4420, Lenels2 Lnl-4420 Firmware, Lenels2 Lnl-x2210 and 25 more | 2024-11-21 | 9.1 Critical |
| An authenticated attacker can upload a file with a filename including “..” and “/” to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with root privileges. | ||||
| CVE-2022-31473 | 1 F5 | 1 Big-ip Access Policy Manager | 2024-11-21 | 6.8 Medium |
| In BIG-IP Versions 16.1.x before 16.1.1 and 15.1.x before 15.1.4, when running in Appliance mode, an authenticated attacker may be able to bypass Appliance mode restrictions due to a directory traversal vulnerability in an undisclosed page within iApps. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2022-31457 | 1 Rtx Trap Project | 1 Rtx Trap | 2024-11-21 | 7.5 High |
| RTX TRAP v1.0 allows attackers to perform a directory traversal via a crafted request sent to the endpoint /data/. | ||||
| CVE-2022-31395 | 1 Algosolutions | 2 8373 Ip Zone Paging Adapter, 8373 Ip Zone Paging Adapter Firmware | 2024-11-21 | 8.8 High |
| Algo Communication Products Ltd. 8373 IP Zone Paging Adapter Firmware 1.7.6 allows attackers to perform a directory traversal via a web request sent to /fm-data.lua. | ||||
| CVE-2022-31372 | 1 Wiris | 1 Mathtype | 2024-11-21 | 7.5 High |
| Wiris Mathtype v7.28.0 was discovered to contain a path traversal vulnerability in the resourceFile parameter. This vulnerability is exploited via a crafted request to the resource handler. | ||||
| CVE-2022-31268 | 1 Gitblit | 1 Gitblit | 2024-11-21 | 7.5 High |
| A Path Traversal vulnerability in Gitblit 1.9.3 can lead to reading website files via /resources//../ (e.g., followed by a WEB-INF or META-INF pathname). | ||||
| CVE-2022-31202 | 1 Monitoringsoft | 1 Softguard Web | 2024-11-21 | 6.5 Medium |
| The export function in SoftGuard Web (SGW) before 5.1.5 allows directory traversal to read an arbitrary local file via export or man.tcl. | ||||
| CVE-2022-31163 | 3 Debian, Redhat, Tzinfo Project | 4 Debian Linux, Satellite, Storage and 1 more | 2024-11-21 | 7.5 High |
| TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`. | ||||
| CVE-2022-30804 | 1 Elitecms | 1 Elite Cms | 2024-11-21 | 6.5 Medium |
| elitecms v1.01 is vulnerable to Delete any file via /admin/delete_image.php?file=. | ||||
| CVE-2022-30572 | 1 Tibco | 1 Iway Service Manager | 2024-11-21 | 6.5 Medium |
| The iWay Service Manager Console component of TIBCO Software Inc.'s TIBCO iWay Service Manager contains an easily exploitable Directory Traversal vulnerability that allows a low privileged attacker with network access to read arbitrary resources on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO iWay Service Manager: versions 8.0.6 and below. | ||||
| CVE-2022-30508 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 6.5 Medium |
| DedeCMS v5.7.93 was discovered to contain arbitrary file deletion vulnerability in upload.php via the delete parameter. | ||||
| CVE-2022-30427 | 1 Ginadmin Project | 1 Ginadmin | 2024-11-21 | 7.5 High |
| In ginadmin through 05-10-2022 the incoming path value is not filtered, resulting in directory traversal. | ||||
| CVE-2022-30321 | 2 Hashicorp, Redhat | 3 Go-getter, Openshift, Openstack | 2024-11-21 | 8.6 High |
| go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go-getter path traversal, symlink processing, and command injection flaws. Fixed in 1.6.1 and 2.1.0. | ||||
| CVE-2022-30302 | 1 Fortinet | 1 Fortideceptor | 2024-11-21 | 6.5 Medium |
| Multiple relative path traversal vulnerabilities [CWE-23] in FortiDeceptor management interface 1.0.0 through 3.2.x, 3.3.0 through 3.3.2, 4.0.0 through 4.0.1 may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests. | ||||
| CVE-2022-30301 | 1 Fortinet | 1 Fortiap-u | 2024-11-21 | 7.8 High |
| A path traversal vulnerability [CWE-22] in FortiAP-U CLI 6.2.0 through 6.2.3, 6.0.0 through 6.0.4, 5.4.0 through 5.4.6 may allow an admin user to delete and access unauthorized files and data via specifically crafted CLI commands. | ||||