Total
7178 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-26068 | 1 Pistache Project | 1 Pistache | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
| This affects the package pistacheio/pistache before 0.0.3.20220425. It is possible to traverse directories to fetch arbitrary files from the server. | |||||
| CVE-2022-26049 | 1 Diffplug | 1 Goomph | 2024-11-21 | N/A | 5.3 MEDIUM |
| This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability. **Note:** This could have allowed a malicious zip file to extract itself into an arbitrary directory. The only file that Goomph extracts is the p2 bootstrapper and eclipse metadata files hosted at eclipse.org, which are not malicious, so the only way this vulnerability could have affected you is if you had set a custom bootstrap zip, and that zip was malicious. | |||||
| CVE-2022-26041 | 1 Generex | 1 Rccmd | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| Directory traversal vulnerability in RCCMD 4.26 and earlier allows a remote authenticated attacker with an administrative privilege to read or alter an arbitrary file on the server via unspecified vectors. | |||||
| CVE-2022-26019 | 1 Netgate | 2 Pfsense, Pfsense Plus | 2024-11-21 | 8.5 HIGH | 8.8 HIGH |
| Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution. | |||||
| CVE-2022-25856 | 1 Argo Events Project | 1 Argo Events | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The package github.com/argoproj/argo-events/sensors/artifacts before 1.7.1 are vulnerable to Directory Traversal in the (g *GitArtifactReader).Read() API in git.go. This could allow arbitrary file reads if the GitArtifactReader is provided a pathname containing a symbolic link or an implicit directory name such as ... | |||||
| CVE-2022-25842 | 1 Alibabagroup | 1 One-java-agent | 2024-11-21 | 7.5 HIGH | 6.9 MEDIUM |
| All versions of package com.alibaba.oneagent:one-java-agent-plugin are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. | |||||
| CVE-2022-25634 | 1 Qt | 1 Qt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Qt through 5.15.8 and 6.x through 6.2.3 can load system library files from an unintended working directory. | |||||
| CVE-2022-25591 | 1 Blogengine | 1 Blogengine.net | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| BlogEngine.NET v3.3.8.0 was discovered to contain an arbitrary file deletion vulnerability which allows attackers to delete files within the web server root directory via a crafted HTTP request. | |||||
| CVE-2022-25412 | 1 Max-3000 | 1 Maxsite Cms | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| Maxsite CMS v180 was discovered to contain multiple arbitrary file deletion vulnerabilities in /admin_page/all-files-update-ajax.php via the dir and deletefile parameters. | |||||
| CVE-2022-25371 | 1 Apache | 1 Ofbiz | 2024-11-21 | N/A | 9.8 CRITICAL |
| Apache OFBiz uses the Birt project plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. By leveraging a bug in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142) it is possible to perform a remote code execution (RCE) attack in Apache OFBiz, release 18.12.05 and earlier. | |||||
| CVE-2022-25358 | 1 Awful-salmonella-tar Project | 1 Awful-salmonella-tar | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A ..%2F path traversal vulnerability exists in the path handler of awful-salmonella-tar before 0.0.4. Attackers can only list directories (not read files). This occurs because the safe-path? Scheme predicate is not used for directories. | |||||
| CVE-2022-25347 | 1 Deltaww | 1 Diaenergie | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to path traversal attacks, which may allow an attacker to write arbitrary files to locations on the file system. | |||||
| CVE-2022-25298 | 1 Webcc Project | 1 Webcc | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This affects the package sprinfall/webcc before 0.3.0. It is possible to traverse directories to fetch arbitrary files from the server. | |||||
| CVE-2022-25267 | 1 Passwork | 1 Passwork | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files). | |||||
| CVE-2022-25266 | 1 Passwork | 1 Passwork | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files). | |||||
| CVE-2022-25249 | 1 Ptc | 2 Axeda Agent, Axeda Desktop Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| When connecting to a certain port Axeda agent (All versions) and Axeda Desktop Server for Windows (All versions) (disregarding Axeda agent v6.9.2 and v6.9.3) is vulnerable to directory traversal, which could allow a remote unauthenticated attacker to obtain file system read access via web server.. | |||||
| CVE-2022-25216 | 1 Dvdfab | 2 12 Player, Playerfab | 2024-11-21 | 7.8 HIGH | 7.5 HIGH |
| An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>. | |||||
| CVE-2022-25188 | 1 Jenkins | 1 Fortify | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker. | |||||
| CVE-2022-25178 | 1 Jenkins | 1 Pipeline\ | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system. | |||||
| CVE-2022-25046 | 1 Control-webpanel | 1 Webpanel | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A path traversal vulnerability in loader.php of CWP v0.9.8.1122 allows attackers to execute arbitrary code via a crafted POST request. | |||||