Total
74 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-42791 | 2024-02-28 | N/A | 8.8 HIGH | ||
A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests. | |||||
CVE-2023-42456 | 1 Memorysafety | 1 Sudo | 2024-02-28 | N/A | 8.1 HIGH |
Sudo-rs, a memory safe implementation of sudo and su, allows users to not have to enter authentication at every sudo attempt, but instead only requiring authentication every once in a while in every terminal or process group. Only once a configurable timeout has passed will the user have to re-authenticate themselves. Supporting this functionality is a set of session files (timestamps) for each user, stored in `/var/run/sudo-rs/ts`. These files are named according to the username from which the sudo attempt is made (the origin user). An issue was discovered in versions prior to 0.2.1 where usernames containing the `.` and `/` characters could result in the corruption of specific files on the filesystem. As usernames are generally not limited by the characters they can contain, a username appearing to be a relative path can be constructed. For example we could add a user to the system containing the username `../../../../bin/cp`. When logged in as a user with that name, that user could run `sudo -K` to clear their session record file. The session code then constructs the path to the session file by concatenating the username to the session file storage directory, resulting in a resolved path of `/bin/cp`. The code then clears that file, resulting in the `cp` binary effectively being removed from the system. An attacker needs to be able to login as a user with a constructed username. Given that such a username is unlikely to exist on an existing system, they will also need to be able to create the users with the constructed usernames. The issue is patched in version 0.2.1 of sudo-rs. Sudo-rs now uses the uid for the user instead of their username for determining the filename. Note that an upgrade to this version will result in existing session files being ignored and users will be forced to re-authenticate. It also fully eliminates any possibility of path traversal, given that uids are always integer values. The `sudo -K` and `sudo -k` commands can run, even if a user has no sudo access. As a workaround, make sure that one's system does not contain any users with a specially crafted username. While this is the case and while untrusted users do not have the ability to create arbitrary users on the system, one should not be able to exploit this issue. | |||||
CVE-2023-4897 | 1 Mintplexlabs | 1 Anythingllm | 2024-02-28 | N/A | 9.8 CRITICAL |
Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. | |||||
CVE-2023-2356 | 1 Lfprojects | 1 Mlflow | 2024-02-28 | N/A | 7.5 HIGH |
Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1. | |||||
CVE-2022-31163 | 2 Debian, Tzinfo Project | 2 Debian Linux, Tzinfo | 2024-02-28 | N/A | 8.1 HIGH |
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`. | |||||
CVE-2021-34605 | 1 Xinje | 1 Xd\/e Series Plc Program Tool | 2024-02-28 | 6.0 MEDIUM | 7.3 HIGH |
A zip slip vulnerability in XINJE XD/E Series PLC Program Tool up to version v3.5.1 can provide an attacker with arbitrary file write privilege when opening a specially-crafted project file. This vulnerability can be triggered by manually opening an infected project file, or by initiating an upload program request from an infected Xinje PLC. This can result in remote code execution, information disclosure and denial of service of the system running the XINJE XD/E Series PLC Program Tool. | |||||
CVE-2021-41178 | 1 Nextcloud | 1 Server | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading. | |||||
CVE-2021-40870 | 1 Aviatrix | 1 Controller | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. | |||||
CVE-2021-41127 | 1 Rasa | 1 Rasa | 2024-02-28 | 5.8 MEDIUM | 7.1 HIGH |
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance. | |||||
CVE-2021-29488 | 4 Apple, Linux, Microsoft and 1 more | 4 Macos, Linux Kernel, Windows and 1 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
SABnzbd is an open source binary newsreader. A vulnerability was discovered in SABnzbd that could trick the `filesystem.renamer()` function into writing downloaded files outside the configured Download Folder via malicious PAR2 files. A patch was released as part of SABnzbd 3.2.1RC1. As a workaround, limit downloads to NZBs without PAR2 files, deny write permissions to the SABnzbd process outside areas it must access to perform its job, or update to a fixed version. | |||||
CVE-2020-25172 | 1 Bbraun | 1 Onlinesuite Application Package | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
A relative path traversal attack in the B. Braun OnlineSuite Version AP 3.0 and earlier allows unauthenticated attackers to upload or download arbitrary files. | |||||
CVE-2019-19287 | 1 Siemens | 1 Xhq | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow attackers to traverse through the file system of the server based by sending specially crafted packets over the network without authentication. | |||||
CVE-2019-18338 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-02-28 | 4.0 MEDIUM | 7.7 HIGH |
A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The Control Center Server (CCS) contains a directory traversal vulnerability in its XML-based communication protocol as provided by default on ports 5444/tcp and 5440/tcp. An authenticated remote attacker with network access to the CCS server could exploit this vulnerability to list arbitrary directories or read files outside of the CCS application context. | |||||
CVE-2024-0550 | 2024-02-28 | N/A | 9.6 CRITICAL | ||
A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack. |