Total
6541 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2110 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2024-11-21 | N/A | 8.2 HIGH |
| Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian. | |||||
| CVE-2023-29986 | 1 Spring-boot-actuator-logview Project | 1 Spring-boot-actuator-logview | 2024-11-21 | N/A | 5.3 MEDIUM |
| spring-boot-actuator-logview 0.2.13 allows Directory Traversal to sibling directories via LogViewEndpoint.view. | |||||
| CVE-2023-29962 | 1 S-cms | 1 S-cms | 2024-11-21 | N/A | 6.5 MEDIUM |
| S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability. | |||||
| CVE-2023-29887 | 1 Nuovo | 1 Spreadsheet-reader | 2024-11-21 | N/A | 7.5 HIGH |
| A Local File inclusion vulnerability in test.php in spreadsheet-reader 0.5.11 allows remote attackers to include arbitrary files via the File parameter. | |||||
| CVE-2023-29736 | 1 Timmystudios | 1 Keyboard Themes | 2024-11-21 | N/A | 9.8 CRITICAL |
| Keyboard Themes 1.275.1.164 for Android contains a dictionary traversal vulnerability that allows unauthorized apps to overwrite arbitrary files in its internal storage and achieve arbitrary code execution. | |||||
| CVE-2023-29502 | 1 Ptc | 1 Vuforia Studio | 2024-11-21 | N/A | 6.2 MEDIUM |
| Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json file to be a different path. | |||||
| CVE-2023-29478 | 1 Bibliocraftmod | 1 Bibliocraft | 2024-11-21 | N/A | 9.8 CRITICAL |
| BiblioCraft before 2.4.6 does not sanitize path-traversal characters in filenames, allowing restricted write access to almost anywhere on the filesystem. This includes the Minecraft mods folder, which results in code execution. | |||||
| CVE-2023-29380 | 1 Linuxmint | 1 Warpinator | 2024-11-21 | N/A | 7.5 HIGH |
| Warpinator before 1.6.0 allows remote file deletion via directory traversal in top_dir_basenames. | |||||
| CVE-2023-29200 | 1 Contao | 1 Contao | 2024-11-21 | N/A | 4.3 MEDIUM |
| Contao is an open source content management system. Prior to versions 4.9.40, 4.13.21, and 5.1.4, logged in users can list arbitrary system files in the file manager by manipulating the Ajax request. However, it is not possible to read the contents of these files. Users should update to Contao 4.9.40, 4.13.21 or 5.1.4 to receive a patch. There are no known workarounds. | |||||
| CVE-2023-29186 | 1 Sap | 1 Netweaver | 2024-11-21 | N/A | 8.7 HIGH |
| In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload and overwrite files on the SAP server. Data cannot be read but if a remote attacker has sufficient (administrative) privileges then potentially critical OS files can be overwritten making the system unavailable. | |||||
| CVE-2023-29159 | 1 Encode | 1 Starlette | 2024-11-21 | N/A | 7.5 HIGH |
| Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette. | |||||
| CVE-2023-29128 | 1 Siemens | 4 6gk1411-1ac00, 6gk1411-1ac00 Firmware, 6gk1411-5ac00 and 1 more | 2024-11-21 | N/A | 3.8 LOW |
| A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2.0 < V2.1), SIMATIC Cloud Connect 7 CC716 (All versions >= V2.0 < V2.1). The filename in the upload feature of the web based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to write any file with the extension `.db`. | |||||
| CVE-2023-29104 | 1 Siemens | 4 6gk1411-1ac00, 6gk1411-1ac00 Firmware, 6gk1411-5ac00 and 1 more | 2024-11-21 | N/A | 6.0 MEDIUM |
| A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 (All versions >= V2.0 < V2.1), SIMATIC Cloud Connect 7 CC716 (All versions >= V2.0 < V2.1). The filename in the upload feature of the web based management of the affected device is susceptible to a path traversal vulnerability. This could allow an authenticated privileged remote attacker to overwrite any file the Linux user `ccuser` has write access to, or to download any file the Linux user `ccuser` has read-only access to. | |||||
| CVE-2023-29004 | 1 Roxy-wi | 1 Roxy-wi | 2024-11-21 | N/A | 6.5 MEDIUM |
| hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to /app/options.py and the config_file_name parameter. Successful exploitation of this vulnerability could allow an attacker with user level privileges to obtain the content of arbitrary files on the file server within the scope of what the server process has access to. The root-cause of the vulnerability lies in the get_config function of the /app/modules/config/config.py file, which only checks for relative path traversal, but still allows to read files from absolute locations passed via the config_file_name parameter. | |||||
| CVE-2023-28732 | 1 Acymailing | 1 Acymailing | 2024-11-21 | N/A | 6.5 MEDIUM |
| Missing access control in AnyMailing Joomla Plugin allows to list and access files containing sensitive information from the plugin itself and access to system files via path traversal, when being granted access to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. | |||||
| CVE-2023-28465 | 1 Hapifhir | 1 Hl7 Fhir Core | 2024-11-21 | N/A | 7.5 HIGH |
| The package-decompression feature in HL7 (Health Level 7) FHIR Core Libraries before 5.6.106 allows attackers to copy arbitrary files to certain directories via directory traversal, if an allowed directory name is a substring of the directory name chosen by the attacker. NOTE: this issue exists because of an incomplete fix for CVE-2023-24057. | |||||
| CVE-2023-28459 | 1 Pretalx | 1 Pretalx | 2024-11-21 | N/A | 6.5 MEDIUM |
| pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files. | |||||
| CVE-2023-28458 | 1 Pretalx | 1 Pretalx | 2024-11-21 | N/A | 4.3 MEDIUM |
| pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Organizers can trigger the overwriting (with the standard pretalx 404 page content) of an arbitrary file. | |||||
| CVE-2023-28413 | 1 Snow Monkey Forms Project | 1 Snow Monkey Forms | 2024-11-21 | N/A | 9.8 CRITICAL |
| Directory traversal vulnerability in Snow Monkey Forms versions v5.0.6 and earlier allows a remote unauthenticated attacker to obtain sensitive information, alter the website, or cause a denial-of-service (DoS) condition. | |||||
| CVE-2023-28408 | 1 Mw Wp Form Project | 1 Mw Wp Form | 2024-11-21 | N/A | 9.8 CRITICAL |
| Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to alter the website or cause a denial-of-service (DoS) condition, and obtain sensitive information depending on settings. | |||||