Total
6548 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23457 | 3 Netapp, Oracle, Owasp | 4 Active Iq Unified Manager, Oncommand Workflow Automation, Weblogic Server and 1 more | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this. | |||||
| CVE-2022-23447 | 1 Fortinet | 2 Fortiextender, Fortiextender Firmware | 2024-11-21 | N/A | 7.5 HIGH |
| An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiExtender management interface 7.0.0 through 7.0.3, 4.2.0 through 4.2.4, 4.1.1 through 4.1.8, 4.0.0 through 4.0.2, 3.3.0 through 3.3.2, 3.2.1 through 3.2.3, 5.3 all versions may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. | |||||
| CVE-2022-23409 | 1 Ethercreative | 1 Logs | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to read arbitrary files via input to actionStream in Controller.php. | |||||
| CVE-2022-23357 | 1 Mozilo | 1 Mozilocms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| mozilo2.0 was discovered to be vulnerable to directory traversal attacks via the parameter curent_dir. | |||||
| CVE-2022-23347 | 1 Bigantsoft | 1 Bigant Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| BigAnt Software BigAnt Server v5.6.06 was discovered to be vulnerable to directory traversal attacks. | |||||
| CVE-2022-23166 | 1 Sysaid | 1 Sysaid | 2024-11-21 | 10.0 HIGH | 6.1 MEDIUM |
| Sysaid – Sysaid Local File Inclusion (LFI) – An unauthenticated attacker can access to the system by accessing to "/lib/tinymce/examples/index.html" path. in the "Insert/Edit Embedded Media" window Choose Type : iFrame and File/URL : [here is the LFI] Solution: Update to 22.2.20 cloud version, or to 22.1.64 on premise version. | |||||
| CVE-2022-23135 | 1 Zte | 4 Zxhn F477, Zxhn F477 Firmware, Zxhn F677 and 1 more | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| There is a directory traversal vulnerability in some home gateway products of ZTE. Due to the lack of verification of user modified destination path, an attacker with specific permissions could modify the FTP access path to access and modify the system path contents without authorization, which will cause information leak and affect device operation. | |||||
| CVE-2022-23119 | 2 Linux, Trendmicro | 2 Linux Kernel, Deep Security Agent | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| A directory traversal vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to read arbitrary files from the file system. Please note: an attacker must first obtain compromised access to the target Deep Security Manager (DSM) or the target agent must be not yet activated or configured in order to exploit this vulnerability. | |||||
| CVE-2022-23113 | 1 Jenkins | 1 Publish Over Ssh | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files. | |||||
| CVE-2022-23107 | 1 Jenkins | 1 Warnings Next Generation | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system. | |||||
| CVE-2022-23082 | 1 Mend | 1 Curekit | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal. | |||||
| CVE-2022-22932 | 1 Apache | 1 Karaf | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Apache Karaf obr:* commands and run goal on the karaf-maven-plugin have partial path traversal which allows to break out of expected folder. The risk is low as obr:* commands are not very used and the entry is set by user. This has been fixed in revision: https://gitbox.apache.org/repos/asf?p=karaf.git;h=36a2bc4 https://gitbox.apache.org/repos/asf?p=karaf.git;h=52b70cf Mitigation: Apache Karaf users should upgrade to 4.2.15 or 4.3.6 or later as soon as possible, or use correct path. JIRA Tickets: https://issues.apache.org/jira/browse/KARAF-7326 | |||||
| CVE-2022-22931 | 1 Apache | 1 James | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Fix of CVE-2021-40525 do not prepend delimiters upon valid directory validations. Affected implementations include: - maildir mailbox store - Sieve file repository This enables a user to access other users data stores (limited to user names being prefixed by the value of the username being used). | |||||
| CVE-2022-22914 | 1 Ovidentia | 1 Ovidentia | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An incorrect access control issue in the component FileManager of Ovidentia CMS 6.0 allows authenticated attackers to to view and download content in the upload directory via path traversal. | |||||
| CVE-2022-22836 | 1 Coreftp | 1 Core Ftp | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request. | |||||
| CVE-2022-22821 | 1 Nvidia | 1 Nemo | 2024-11-21 | 2.1 LOW | 2.0 LOW |
| NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in which ../ Path Traversal may lead to deletion of any directory when admin privileges are available. | |||||
| CVE-2022-22790 | 1 Synel | 1 Eharmony | 2024-11-21 | 5.0 MEDIUM | 5.6 MEDIUM |
| SYNEL - eharmony Directory Traversal. Directory Traversal - is an attack against a server or a Web application aimed at unauthorized access to the file system. on the "Name" parameter the attacker can return to the root directory and open the host file. The path exposes sensitive files that users upload | |||||
| CVE-2022-22771 | 1 Tibco | 2 Jasperreports Library, Jasperreports Server | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| The Server component of TIBCO Software Inc.'s TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO JasperReports Server, TIBCO JasperReports Server for AWS Marketplace, TIBCO JasperReports Server for ActiveMatrix BPM, and TIBCO JasperReports Server for Microsoft Azure contains a directory-traversal vulnerability that may theoretically allow web server users to access contents of the host system. Affected releases are TIBCO Software Inc.'s TIBCO JasperReports Library: version 7.9.0, TIBCO JasperReports Library for ActiveMatrix BPM: version 7.9.0, TIBCO JasperReports Server: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for AWS Marketplace: versions 7.9.0 and 7.9.1, TIBCO JasperReports Server for ActiveMatrix BPM: versions 7.9.0 and 7.9.1, and TIBCO JasperReports Server for Microsoft Azure: version 7.9.1. | |||||
| CVE-2022-22731 | 1 Schneider-electric | 1 Ecostruxure Power Commission | 2024-11-21 | N/A | 6.5 MEDIUM |
| A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists in a function that could allow an attacker to create or overwrite critical files that are used to execute code, such as programs or libraries and cause path traversal attacks. Affected Products: EcoStruxure Power Commission (Versions prior to V2.22) | |||||
| CVE-2022-22685 | 1 Synology | 1 Webdav Server | 2024-11-21 | N/A | 8.7 HIGH |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology WebDAV Server before 2.4.0-0062 allows remote authenticated users to delete arbitrary files via unspecified vectors. | |||||