Total
6715 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-27821 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2024-12-12 | N/A | 4.7 MEDIUM |
| A path handling issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. A shortcut may output sensitive user data without consent. | |||||
| CVE-2024-27810 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2024-12-12 | N/A | 5.5 MEDIUM |
| A path handling issue was addressed with improved validation. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An app may be able to read sensitive location information. | |||||
| CVE-2024-8647 | 2024-12-12 | N/A | 5.4 MEDIUM | ||
| An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled. | |||||
| CVE-2024-55659 | 2024-12-12 | N/A | N/A | ||
| SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue. | |||||
| CVE-2024-55658 | 2024-12-12 | N/A | N/A | ||
| SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue. | |||||
| CVE-2024-55657 | 2024-12-12 | N/A | N/A | ||
| SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue. | |||||
| CVE-2024-50626 | 2024-12-12 | N/A | 8.8 HIGH | ||
| An issue was discovered in Digi ConnectPort LTS before 1.4.12. A Directory Traversal vulnerability exists in WebFS. This allows an attacker on the local area network to manipulate URLs to include traversal sequences, potentially leading to unauthorized access to data. | |||||
| CVE-2023-35844 | 1 Lightdash | 1 Lightdash | 2024-12-12 | N/A | 7.5 HIGH |
| packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension (.csv or .png) is used. | |||||
| CVE-2023-35843 | 1 Nocodb | 1 Nocodb | 2024-12-12 | N/A | 7.5 HIGH |
| NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information. | |||||
| CVE-2023-35840 | 1 Std42 | 1 Elfinder | 2024-12-12 | N/A | 6.5 MEDIUM |
| _joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector. | |||||
| CVE-2024-53523 | 2024-12-11 | N/A | 7.5 HIGH | ||
| JSFinder commit d70ab9bc5221e016c08cffaf0d9ac79646c90645 is vulnerable to Directory Traversal in the find_by_file function. | |||||
| CVE-2024-53490 | 2024-12-11 | N/A | 7.5 HIGH | ||
| Favorites-web 1.3.0 favorites-web has a directory traversal vulnerability in SecurityFilter.java. | |||||
| CVE-2024-53676 | 1 Hpe | 1 Insight Remote Support | 2024-12-11 | N/A | 9.8 CRITICAL |
| A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution. | |||||
| CVE-2024-5154 | 2 Kubernetes, Redhat | 3 Cri-o, Enterprise Linux, Openshift Container Platform | 2024-12-11 | N/A | 8.1 HIGH |
| A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system. | |||||
| CVE-2024-44167 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2024-12-11 | N/A | 5.5 MEDIUM |
| This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Ventura 13.7, visionOS 2, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to overwrite arbitrary files. | |||||
| CVE-2023-50955 | 1 Ibm | 1 Infosphere Information Server | 2024-12-10 | N/A | 2.4 LOW |
| IBM InfoSphere Information Server 11.7 could allow an authenticated privileged user to obtain the absolute path of the web server installation which could aid in further attacks against the system. IBM X-Force ID: 275777. | |||||
| CVE-2024-55602 | 2024-12-10 | N/A | 7.6 HIGH | ||
| PwnDoc is a penetration test report generator. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an authenticated user who is able to update and download templates can inject path traversal (`../`) sequences into the file extension property to read arbitrary files on the system. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 contains a patch for the issue. | |||||
| CVE-2024-46909 | 1 Progress | 1 Whatsup Gold | 2024-12-10 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage this vulnerability to execute code in the context of the service account. | |||||
| CVE-2024-45709 | 2024-12-10 | N/A | 5.3 MEDIUM | ||
| SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited. | |||||
| CVE-2024-11010 | 2024-12-10 | N/A | 7.2 HIGH | ||
| The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 1.1.4 via the 'default_lang' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary JavaScript files on the server, allowing the execution of any JavaScript code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||