Total
7204 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-39332 | 2 Fedoraproject, Nodejs | 2 Fedora, Node.js | 2024-11-21 | N/A | 9.8 CRITICAL |
| Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js environments, the `Buffer` class extends the `Uint8Array` class. Node.js prevents path traversal through strings (see CVE-2023-30584) and `Buffer` objects (see CVE-2023-32004), but not through non-`Buffer` `Uint8Array` objects. This is distinct from CVE-2023-32004 which only referred to `Buffer` objects. However, the vulnerability follows the same pattern using `Uint8Array` instead of `Buffer`. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2023-39331 | 1 Nodejs | 1 Node.js | 2024-11-21 | N/A | 7.5 HIGH |
| A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | |||||
| CVE-2023-39299 | 1 Qnap | 1 Music Station | 2024-11-21 | N/A | 7.5 HIGH |
| A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following versions: Music Station 4.8.11 and later Music Station 5.1.16 and later Music Station 5.3.23 and later | |||||
| CVE-2023-39163 | 2024-11-21 | N/A | 8.6 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Shop allows PHP Local File Inclusion.This issue affects Phlox Shop: from n/a through 2.0.0. | |||||
| CVE-2023-39141 | 1 Ziahamza | 1 Webui-aria2 | 2024-11-21 | N/A | 7.5 HIGH |
| webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability. | |||||
| CVE-2023-39139 | 1 Archive Project | 1 Archive | 2024-11-21 | N/A | 7.8 HIGH |
| An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file. | |||||
| CVE-2023-39138 | 1 Peakstep | 1 Zipfoundation | 2024-11-21 | N/A | 7.8 HIGH |
| An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file. | |||||
| CVE-2023-39135 | 1 Marmelroy | 1 Zip | 2024-11-21 | N/A | 7.8 HIGH |
| An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry. | |||||
| CVE-2023-39026 | 2 Filemage, Microsoft | 2 Filemage, Windows | 2024-11-21 | N/A | 7.5 HIGH |
| Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component. | |||||
| CVE-2023-38997 | 1 Opnsense | 1 Opnsense | 2024-11-21 | N/A | 7.2 HIGH |
| A directory traversal vulnerability in the Captive Portal templates of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to execute arbitrary system commands as root via a crafted ZIP archive. | |||||
| CVE-2023-38956 | 1 Zkteco | 1 Bioaccess Ivs | 2024-11-21 | N/A | 7.5 HIGH |
| A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | |||||
| CVE-2023-38879 | 1 Os4ed | 1 Opensis | 2024-11-21 | N/A | 7.5 HIGH |
| The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'. | |||||
| CVE-2023-38708 | 1 Pimcore | 1 Pimcore | 2024-11-21 | N/A | 6.3 MEDIUM |
| Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted. | |||||
| CVE-2023-38702 | 1 Eng | 1 Knowage | 2024-11-21 | N/A | 9.9 CRITICAL |
| Knowage is an open source analytics and business intelligence suite. Starting in the 6.x.x branch and prior to version 8.1.8, the endpoint `/knowage/restful-services/dossier/importTemplateFile` allows authenticated users to upload `template file` on the server, but does not need any authorization to be reached. When the JSP file is uploaded, the attacker just needs to connect to `/knowageqbeengine/foo.jsp` to gain code execution on the server. By exploiting this vulnerability, an attacker with low privileges can upload a JSP file to the `knowageqbeengine` directory and gain code execution capability on the server. This issue has been patched in Knowage version 8.1.8. | |||||
| CVE-2023-38695 | 1 Simonsmith | 1 Cypress Image Snapshot | 2024-11-21 | N/A | 6.5 MEDIUM |
| cypress-image-snapshot shows visual regressions in Cypress with jest-image-snapshot. Prior to version 8.0.2, it's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. This issue has been patched in version 8.0.2. | |||||
| CVE-2023-38633 | 3 Debian, Fedoraproject, Gnome | 3 Debian Linux, Fedora, Librsvg | 2024-11-21 | N/A | 5.5 MEDIUM |
| A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. | |||||
| CVE-2023-38399 | 2024-11-21 | N/A | 8.6 HIGH | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Averta Phlox Portfolio allows PHP Local File Inclusion.This issue affects Phlox Portfolio: from n/a through 2.3.1. | |||||
| CVE-2023-38346 | 1 Windriver | 1 Vxworks | 2024-11-21 | N/A | 8.8 HIGH |
| An issue was discovered in Wind River VxWorks 6.9 and 7. The function ``tarExtract`` implements TAR file extraction and thereby also processes files within an archive that have relative or absolute file paths. A developer using the "tarExtract" function may expect that the function will strip leading slashes from absolute paths or stop processing when encountering relative paths that are outside of the extraction path, unless otherwise forced. This could lead to unexpected and undocumented behavior, which in general could result in a directory traversal, and associated unexpected behavior. | |||||
| CVE-2023-38337 | 1 Rswag Project | 1 Rswag | 2024-11-21 | N/A | 7.5 HIGH |
| rswag before 2.10.1 allows remote attackers to read arbitrary JSON and YAML files via directory traversal, because rswag-api can expose a file that is not the OpenAPI (or Swagger) specification file of a project. | |||||
| CVE-2023-38312 | 1 Valvesoftware | 1 Counter-strike | 2024-11-21 | N/A | 7.5 HIGH |
| A directory traversal vulnerability in Valve Counter-Strike 8684 allows a client (with remote control access to a game server) to read arbitrary files from the underlying server via the motdfile console variable. | |||||