Total
6548 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25848 | 1 Static-dev-server Project | 1 Static-dev-server | 2024-11-21 | N/A | 7.5 HIGH |
| This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. | |||||
| CVE-2022-25842 | 1 Alibabagroup | 1 One-java-agent | 2024-11-21 | 7.5 HIGH | 6.9 MEDIUM |
| All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. | |||||
| CVE-2022-25634 | 1 Qt | 1 Qt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. | |||||
| CVE-2022-25591 | 1 Blogengine | 1 Blogengine.net | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| BlogEngine.NET v3.3.8.0 was discovered to contain an arbitrary file deletion vulnerability which allows attackers to delete files within the web server root directory via a crafted HTTP request. | |||||
| CVE-2022-25412 | 1 Max-3000 | 1 Maxsite Cms | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Maxsite CMS v180 was discovered to contain multiple arbitrary file deletion vulnerabilities in /admin_page/all-files-update-ajax.php via the dir and deletefile parameters. | |||||
| CVE-2022-25377 | 2024-11-21 | N/A | 7.5 HIGH | ||
| The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APP_STORAGE_CERTIFICATES/.well-known/acme-challenge must exist on disk. (This pathname is automatically created if the user chooses to install Let's Encrypt certificates via Appwrite.) | |||||
| CVE-2022-25371 | 1 Apache | 1 Ofbiz | 2024-11-21 | N/A | 9.8 CRITICAL |
| Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier. | |||||
| CVE-2022-25358 | 1 Awful-salmonella-tar Project | 1 Awful-salmonella-tar | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A ..%2F path traversal vulnerability exists in the path handler of awful-salmonella-tar before 0.0.4. Attackers can only list directories (not read files). This occurs because the safe-path? Scheme predicate is not used for directories. | |||||
| CVE-2022-25347 | 1 Deltaww | 1 Diaenergie | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to path traversal attacks, which may allow an attacker to write arbitrary files to locations on the file system. | |||||
| CVE-2022-25298 | 1 Webcc Project | 1 Webcc | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package sprinfall/webcc before 0.3.0. It is possible to traverse directories to fetch arbitrary files from the server. | |||||
| CVE-2022-25267 | 1 Passwork | 1 Passwork | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files). | |||||
| CVE-2022-25266 | 1 Passwork | 1 Passwork | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files). | |||||
| CVE-2022-25249 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) (disregarding Axeda agent v6.9.2 and v6.9.3) is vulnerable to directory traversal, which could allow a remote unauthenticated attacker to obtain file system read access via web server.. | |||||
| CVE-2022-25216 | 1 Dvdfab | 2 12 Player, Playerfab | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>. | |||||
| CVE-2022-25188 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker. | |||||
| CVE-2022-25178 | 1 Jenkins | 1 Pipeline\ | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system. | |||||
| CVE-2022-25046 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | |||||
| CVE-2022-24992 | 1 Qr Code Generator Project | 1 Qr Code Generator | 2024-11-21 | N/A | 7.5 HIGH |
| A vulnerability in the component process.php of QR Code Generator v5.2.7 allows attackers to perform directory traversal. | |||||
| CVE-2022-24983 | 1 Jqueryform | 1 Jqueryform | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Forms generated by JQueryForm.com before 2022-02-05 allow remote attackers to obtain the URI to any uploaded file by capturing the POST response. When chained with CVE-2022-24984, this could lead to unauthenticated remote code execution on the underlying web server. This occurs because the Unique ID field is contained in the POST response upon submitting a form. | |||||
| CVE-2022-24977 | 1 Impresscms | 1 Impresscms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ImpressCMS before 1.4.2 allows unauthenticated remote code execution via ...../// directory traversal in origName or imageName, leading to unsafe interaction with the CKEditor processImage.php script. The payload may be placed in PHP_SESSION_UPLOAD_PROGRESS when the PHP installation supports upload_progress. | |||||