Total
7974 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-26019 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2024-11-21 | 8.8 High |
| Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. | ||||
| CVE-2022-25856 | 1 Argo Events Project | 1 Argo Events | 2024-11-21 | 7.5 High |
| The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 are vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ... | ||||
| CVE-2022-25842 | 1 Alibabagroup | 1 One-java-agent | 2024-11-21 | 6.9 Medium |
| All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. | ||||
| CVE-2022-25634 | 1 Qt | 1 Qt | 2024-11-21 | 7.5 High |
| Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. | ||||
| CVE-2022-25591 | 1 Blogengine | 1 Blogengine.net | 2024-11-21 | 9.1 Critical |
| BlogEngine.NET v3.3.8.0 was discovered to contain an arbitrary file deletion vulnerability which allows attackers to delete files within the web server root directory via a crafted HTTP request. | ||||
| CVE-2022-25412 | 1 Max-3000 | 1 Maxsite Cms | 2024-11-21 | 8.1 High |
| Maxsite CMS v180 was discovered to contain multiple arbitrary file deletion vulnerabilities in /admin_page/all-files-update-ajax.php via the dir and deletefile parameters. | ||||
| CVE-2022-25371 | 1 Apache | 1 Ofbiz | 2024-11-21 | 9.8 Critical |
| Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier. | ||||
| CVE-2022-25358 | 1 Awful-salmonella-tar Project | 1 Awful-salmonella-tar | 2024-11-21 | 5.3 Medium |
| A ..%2F path traversal vulnerability exists in the path handler of awful-salmonella-tar before 0.0.4. Attackers can only list directories (not read files). This occurs because the safe-path? Scheme predicate is not used for directories. | ||||
| CVE-2022-25298 | 1 Webcc Project | 1 Webcc | 2024-11-21 | 7.5 High |
| This affects the package sprinfall/webcc before 0.3.0. It is possible to traverse directories to fetch arbitrary files from the server. | ||||
| CVE-2022-25267 | 1 Passwork | 1 Passwork | 2024-11-21 | 8.8 High |
| Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files). | ||||
| CVE-2022-25266 | 1 Passwork | 1 Passwork | 2024-11-21 | 4.3 Medium |
| Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files). | ||||
| CVE-2022-25216 | 1 Dvdfab | 2 12 Player, Playerfab | 2024-11-21 | 7.5 High |
| An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>. | ||||
| CVE-2022-25188 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.3 Medium |
| Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker. | ||||
| CVE-2022-25178 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-11-21 | 6.5 Medium |
| Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system. | ||||
| CVE-2022-25046 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 9.8 Critical |
| A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | ||||
| CVE-2022-24992 | 1 Qr Code Generator Project | 1 Qr Code Generator | 2024-11-21 | 7.5 High |
| A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal. | ||||
| CVE-2022-24983 | 1 Jqueryform | 1 Jqueryform | 2024-11-21 | 7.5 High |
| Forms generated by JQueryForm.com before 2022-02-05 allow remote attackers to obtain the URI to any uploaded file by capturing the POST response. When chained with CVE-2022-24984, this could lead to unauthenticated remote code execution on the underlying web server. This occurs because the Unique ID field is contained in the POST response upon submitting a form. | ||||
| CVE-2022-24977 | 1 Impresscms | 1 Impresscms | 2024-11-21 | 9.8 Critical |
| ImpressCMS before 1.4.2 allows unauthenticated remote code execution via ...../// directory traversal in origName or imageName, leading to unsafe interaction with the CKEditor processImage.php script. The payload may be placed in PHP_SESSION_UPLOAD_PROGRESS when the PHP installation supports upload_progress. | ||||
| CVE-2022-24659 | 1 Goldshell | 1 Goldshell Miner Firmware | 2024-11-21 | 7.5 High |
| Goldshell ASIC Miners v2.2.1 and below was discovered to contain a path traversal vulnerability which allows unauthenticated attackers to retrieve arbitrary files from the device. | ||||
| CVE-2022-24647 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | 8.1 High |
| Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function. | ||||