Total
268 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29720 | 1 74cms | 1 74cmsse | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| 74cmsSE v3.5.1 was discovered to contain an arbitrary file read vulnerability via the component \index\controller\Download.php. | |||||
| CVE-2022-0656 | 1 Webtoprint | 1 Web To Print Shop\ | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc) | |||||
| CVE-2022-29446 | 1 Wow-company | 1 Counter Box | 2024-02-28 | 4.0 MEDIUM | 7.2 HIGH |
| Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress. | |||||
| CVE-2022-23377 | 1 Keep | 1 Archeevo | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files. | |||||
| CVE-2022-25297 | 1 Drogon | 1 Drogon | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| This affects the package drogonframework/drogon before 1.7.5. The unsafe handling of file names during upload using HttpFile::save() method may enable attackers to write files to arbitrary locations outside the designated target folder. | |||||
| CVE-2022-27837 | 2 Google, Samsung | 2 Android, Accessibility | 2024-02-28 | 9.3 HIGH | 7.8 HIGH |
| A vulnerability using PendingIntent in Accessibility prior to version 12.5.3.2 in Android R(11.0) and 13.0.1.1 in Android S(12.0) allows attacker to access the file with system privilege. | |||||
| CVE-2022-29302 | 1 Contec | 2 Sv-cpt-mc310, Sv-cpt-mc310 Firmware | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
| SolarView Compact ver.6.00 was discovered to contain a local file disclosure via /html/Solar_Ftp.php. | |||||
| CVE-2022-25299 | 1 Cesanta | 1 Mongoose | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder. | |||||
| CVE-2022-30428 | 1 Ginadmin Project | 1 Ginadmin | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading. | |||||
| CVE-2022-23621 | 1 Xwiki | 1 Xwiki | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right. | |||||
| CVE-2020-35340 | 1 Expertpdf | 1 Expertpdf | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| A local file inclusion vulnerability in ExpertPDF 9.5.0 through 14.1.0 allows attackers to read the file contents from files that the running ExpertPDF process has access to read. | |||||
| CVE-2021-35203 | 1 Netscout | 1 Ngeniusone | 2024-02-28 | 3.5 LOW | 5.7 MEDIUM |
| NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint. | |||||
| CVE-2021-32833 | 1 Emby | 1 Emby.releases | 2024-02-28 | 4.3 MEDIUM | 8.6 HIGH |
| Emby Server is a personal media server with apps on many devices. In Emby Server on Windows there is a set of arbitrary file read vulnerabilities. This vulnerability is known to exist in version 4.6.4.0 and may not be patched in later versions. Known vulnerable routes are /Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer, /Images/Ratings/theme/name and /Images/MediaInfo/theme/name. For more details including proof of concept code, refer to the referenced GHSL-2021-051. This issue may lead to unauthorized access to the system especially when Emby Server is configured to be accessible from the Internet. | |||||
| CVE-2021-41573 | 1 Hitachi | 1 Content Platform Anywhere | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Hitachi Content Platform Anywhere (HCP-AW) 4.4.5 and later allows information disclosure. If authenticated user creates a link to a file or folder while the system was running version 4.3.x or earlier and then shares the link and then later deletes the file or folder without deleting the link and before the link expires. If the system has been upgraded to version 4.4.5 or 4.5.0 a malicious user with the link could browse and download all files of the authenticated user that created the link . | |||||
| CVE-2021-31850 | 2 Mcafee, Microsoft | 2 Database Security, Windows | 2024-02-28 | 4.9 MEDIUM | 6.1 MEDIUM |
| A denial-of-service vulnerability in Database Security (DBS) prior to 4.8.4 allows a remote authenticated administrator to trigger a denial-of-service attack against the DBS server. The configuration of Archiving through the User interface incorrectly allowed the creation of directories and files in Windows system directories and other locations where sensitive data could be overwritten. The former could lead to a DoS, whilst the latter could lead to data destruction on the DBS server. | |||||
| CVE-2021-25741 | 1 Kubernetes | 1 Kubernetes | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
| A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. | |||||
| CVE-2021-20148 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-02-28 | 3.5 LOW | 4.3 MEDIUM |
| ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain. | |||||
| CVE-2021-43772 | 2 Microsoft, Trendmicro | 5 Windows, Antivirus\+ Security, Internet Security and 2 more | 2024-02-28 | 2.1 LOW | 5.5 MEDIUM |
| Trend Micro Security 2021 v17.0 (Consumer) contains a vulnerability that allows files inside the protected folder to be modified without any detection. | |||||
| CVE-2022-23316 | 1 Taogogo | 1 Taocms | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| An issue was discovered in taoCMS v3.0.2. There is an arbitrary file read vulnerability that can read any files via admin.php?action=file&ctrl=download&path=../../1.txt. | |||||
| CVE-2022-0244 | 1 Gitlab | 1 Gitlab | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file. | |||||