Total
6537 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5991 | 1 Motopress | 1 Hotel Booking Lite | 2024-11-21 | N/A | 9.8 CRITICAL |
| The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server | |||||
| CVE-2023-5938 | 2024-11-21 | N/A | 8.0 HIGH | ||
| Multiple functions use archives without properly validating the filenames therein, rendering the application vulnerable to path traversal via 'zip slip' attacks. An administrator able to provide tampered archives to be processed by the affected versions of Arc may be able to have arbitrary files extracted to arbitrary filesystem locations. Leveraging this issue, an attacker may be able to overwrite arbitrary files on the target filesystem and cause critical impacts on the system (e.g., arbitrary command execution on the victim’s machine). | |||||
| CVE-2023-5885 | 1 Franklinfueling | 2 Colibri, Colibri Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| The discontinued FFS Colibri product allows a remote user to access files on the system including files containing login credentials for other users. | |||||
| CVE-2023-5672 | 1 Wpvibes | 1 Wp Mail Log | 2024-11-21 | N/A | 6.5 MEDIUM |
| The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files. | |||||
| CVE-2023-5607 | 1 Trellix | 1 Application And Change Control | 2024-11-21 | N/A | 8.4 HIGH |
| An improper limitation of a path name to a restricted directory (path traversal) vulnerability in the TACC ePO extension, for on-premises ePO servers, prior to version 8.4.0 could lead to an authorised administrator attacker executing arbitrary code through uploading a specially crafted GTI reputation file. The attacker would need the appropriate privileges to access the relevant section of the User Interface. The import logic has been updated to restrict file types and content. | |||||
| CVE-2023-5588 | 1 Kpherox | 1 Pleroma | 2024-11-21 | 1.4 LOW | 2.6 LOW |
| A vulnerability was found in kphrx pleroma. It has been classified as problematic. This affects the function Pleroma.Emoji.Pack of the file lib/pleroma/emoji/pack.ex. The manipulation of the argument name leads to path traversal. The complexity of an attack is rather high. The exploitability is told to be difficult. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 2c795094535537a8607cc0d3b7f076a609636f40. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-242187. | |||||
| CVE-2023-5504 | 1 Inpsyde | 1 Backwpup | 2024-11-21 | N/A | 8.7 HIGH |
| The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to the root of another site in a shared environment and thus disable that site. | |||||
| CVE-2023-5414 | 1 Icegram | 1 Icegram Express | 2024-11-21 | N/A | 9.1 CRITICAL |
| The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including those belonging to other sites, for example in shared hosting environments. | |||||
| CVE-2023-5399 | 1 Schneider-electric | 1 Spacelogic C-bus Toolkit | 2024-11-21 | N/A | 9.8 CRITICAL |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using the File Command. | |||||
| CVE-2023-5390 | 1 Honeywell | 4 Controledge Unit Operations Controller, Controledge Unit Operations Controller Firmware, Controledge Virtual Unit Operations Controller and 1 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| An attacker could potentially exploit this vulnerability, leading to files being read from the Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC. This exploit could be used to read files from the controller that may expose limited information from the device. Honeywell recommends updating to the most recent version of the product. See Honeywell Security Notification for recommendations on upgrading and versioning. | |||||
| CVE-2023-5355 | 1 Getawesomesupport | 1 Awesome Support | 2024-11-21 | N/A | 8.1 HIGH |
| The Awesome Support WordPress plugin before 6.1.5 does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server. | |||||
| CVE-2023-5327 | 1 Sato | 2 Cl4nx-j Plus, Cl4nx-j Plus Firmware | 2024-11-21 | 2.7 LOW | 3.5 LOW |
| A vulnerability was found in SATO CL4NX-J Plus 1.13.2-u455_r2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /rest/dir/. The manipulation of the argument full leads to path traversal. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-241028. | |||||
| CVE-2023-5257 | 2 Microsoft, Whitehsbg | 2 Windows, Jndiexploit | 2024-11-21 | 2.7 LOW | 3.5 LOW |
| A vulnerability was found in WhiteHSBG JNDIExploit 1.4 on Windows. It has been rated as problematic. Affected by this issue is the function handleFileRequest of the file src/main/java/com/feihong/ldap/HTTPServer.java. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. VDB-240866 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-5189 | 1 Redhat | 2 Ansible Automation Platform, Satellite | 2024-11-21 | N/A | 6.3 MEDIUM |
| A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten. | |||||
| CVE-2023-5142 | 1 H3c | 30 Er2100n, Er2100n Firmware, Er2200g2 and 27 more | 2024-11-21 | 2.6 LOW | 3.7 LOW |
| A vulnerability classified as problematic was found in H3C GR-1100-P, GR-1108-P, GR-1200W, GR-1800AX, GR-2200, GR-3200, GR-5200, GR-8300, ER2100n, ER2200G2, ER3200G2, ER3260G2, ER5100G2, ER5200G2 and ER6300G2 up to 20230908. This vulnerability affects unknown code of the file /userLogin.asp of the component Config File Handler. The manipulation leads to path traversal. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-240238 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-5115 | 2 Debian, Redhat | 5 Debian Linux, Ansible Automation Platform, Ansible Developer and 2 more | 2024-11-21 | N/A | 6.3 MEDIUM |
| An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path. | |||||
| CVE-2023-5105 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Frontend File Manager Plugin WordPress plugin before 22.6 has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php` | |||||
| CVE-2023-5097 | 2 Hypr, Microsoft | 2 Workforce Access, Windows | 2024-11-21 | N/A | 7.0 HIGH |
| Improper Input Validation vulnerability in HYPR Workforce Access on Windows allows Path Traversal.This issue affects Workforce Access: before 8.7. | |||||
| CVE-2023-52544 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Vulnerability of file path verification being bypassed in the email module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-52289 | 1 Sujeetkv | 1 Flaskcode | 2024-11-21 | N/A | 7.5 HIGH |
| An issue was discovered in the flaskcode package through 0.0.8 for Python. An unauthenticated directory traversal, exploitable with a POST request to a /update-resource-data/<file_path> URI (from views.py), allows attackers to write to arbitrary files. | |||||