Total
6551 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28206 | 1 Asus | 88 Asmb9-ikvm, Asmb9-ikvm Firmware, E700 G4 and 85 more | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Record video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files. | |||||
| CVE-2021-28205 | 1 Asus | 6 Asmb8-ikvm, Asmb8-ikvm Firmware, Z10pe-d16 Ws and 3 more | 2024-11-21 | 6.8 MEDIUM | 4.9 MEDIUM |
| The specific function in ASUS BMC’s firmware Web management page (Delete SOL video file function) does not filter the specific parameter. As obtaining the administrator permission, remote attackers can use the means of path traversal to access system files. | |||||
| CVE-2021-28172 | 1 Deltaflow Project | 1 Deltaflow | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| There is a Path Traversal vulnerability in the file download function of Vangene deltaFlow E-platform. Remote attackers can access credential data with this leakage. | |||||
| CVE-2021-28149 | 1 Hongdian | 2 H8922, H8922 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Hongdian H8922 3.0.5 devices allow Directory Traversal. The /log_download.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ (e.g., ../../etc/passwd) This can be carried out with a web browser by changing the file name accordingly. Upon visiting log_download.cgi?type=../../etc/passwd and logging in, the web server will allow a download of the contents of the /etc/passwd file. | |||||
| CVE-2021-28042 | 1 Deutschepost | 1 Mailoptimizer | 2024-11-21 | 8.3 HIGH | 7.8 HIGH |
| Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution. | |||||
| CVE-2021-27825 | 1 Mercurycom | 2 Mac1200r, Mac1200r Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| A directory traversal vulnerability on Mercury MAC1200R devices allows attackers to read arbitrary files via a web-static/ URL. | |||||
| CVE-2021-27798 | 1 Broadcom | 1 Fabric Operating System | 2024-11-21 | N/A | 5.5 MEDIUM |
| A vulnerability in Brocade Fabric OS versions v7.4.1b and v7.3.1d could allow local users to conduct privileged directory transversal. Brocade Fabric OS versions v7.4.1.x and v7.3.x have reached end of life. Brocade Fabric OS Users should upgrade to supported versions as described in the Product End-of-Life Publish report | |||||
| CVE-2021-27755 | 1 Hcltech | 1 Hcl Sametime | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| "Sametime Android potential path traversal vulnerability when using File class" | |||||
| CVE-2021-27753 | 1 Hcltech | 1 Hcl Sametime | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| "Sametime Android PathTraversal Vulnerability" | |||||
| CVE-2021-27473 | 1 Rockwellautomation | 1 Connected Components Workbench | 2024-11-21 | 6.9 MEDIUM | 6.1 MEDIUM |
| Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful. | |||||
| CVE-2021-27471 | 1 Rockwellautomation | 1 Connected Components Workbench | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful. | |||||
| CVE-2021-27461 | 1 Emerson | 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected webserver applications allow access to stored data that can be obtained by using specially crafted URLs. | |||||
| CVE-2021-27402 | 1 Mitel | 1 Micollab | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL validation, aka Directory Traversal. | |||||
| CVE-2021-27367 | 1 Boltcms | 1 Bolt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal. | |||||
| CVE-2021-27341 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter. | |||||
| CVE-2021-27328 | 1 Yeastar | 2 Neogate Tg400, Neogate Tg400 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key. | |||||
| CVE-2021-27278 | 1 Parallels | 1 Parallels Desktop | 2024-11-21 | 4.6 MEDIUM | 8.2 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.1-49141. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the current user on the host system. Was ZDI-CAN-12130. | |||||
| CVE-2021-27276 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
| This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MibController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12122. | |||||
| CVE-2021-27275 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-12125. | |||||
| CVE-2021-27272 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 7.5 HIGH | 7.1 HIGH |
| This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ReportTemplateController class. When parsing the path parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12123. | |||||