Vulnerabilities (CVE)

Filtered by CWE-73
Total 161 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-39303 1 Weblate 1 Weblate 2024-11-21 N/A 4.4 MEDIUM
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects.
CVE-2024-38049 1 Microsoft 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more 2024-11-21 N/A 6.6 MEDIUM
Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability
CVE-2024-37295 2024-11-21 N/A 7.2 HIGH
Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue.
CVE-2024-33671 2024-11-21 N/A 7.7 HIGH
An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. The Backup Exec Deduplication Multi-threaded Streaming Agent can be leveraged to perform arbitrary file deletion on protected files.
CVE-2024-30265 2024-11-21 N/A 7.5 HIGH
Collabora Online is a collaborative online office suite based on LibreOffice technology. Any deployment of voilà dashboard allow local file inclusion. Any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voilà is deployed. This issue has been patched in 0.2.17, 0.3.8, 0.4.4 and 0.5.6.
CVE-2024-27175 2024-11-21 N/A 4.4 MEDIUM
Remote Command program allows an attacker to read any file using a Local File Inclusion vulnerability. An attacker can read any file on the printer. As for the affected products/models/versions, see the reference URL.
CVE-2024-25975 2024-11-21 N/A 6.5 MEDIUM
The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The file can be controlled by an authenticated attacker, the content cannot be controlled. It is possible to overwrite all files for which the webserver has write access. It is required to supply a relative path (path traversal).
CVE-2024-23317 2024-11-21 N/A 6.3 MEDIUM
External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior.
CVE-2024-20652 1 Microsoft 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more 2024-11-21 N/A 8.1 HIGH
Windows HTML Platforms Security Feature Bypass Vulnerability
CVE-2024-0728 1 Foru Cms Project 1 Foru Cms 2024-11-21 5.8 MEDIUM 4.7 MEDIUM
A vulnerability classified as problematic was found in ForU CMS up to 2020-06-23. Affected by this vulnerability is an unknown functionality of the file channel.php. The manipulation of the argument c_cmodel leads to file inclusion. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-251551.
CVE-2024-0265 1 Oretnom23 1 Clinic Queuing System 2024-11-21 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php of the component GET Parameter Handler. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249821 was assigned to this vulnerability.
CVE-2024-0100 2024-11-21 N/A 6.5 MEDIUM
NVIDIA Triton Inference Server for Linux contains a vulnerability in the tracing API, where a user can corrupt system files. A successful exploit of this vulnerability might lead to denial of service and data tampering.
CVE-2024-0087 2024-11-21 N/A 9.0 CRITICAL
NVIDIA Triton Inference Server for Linux contains a vulnerability where a user can set the logging location to an arbitrary file. If this file exists, logs are appended to the file. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
CVE-2023-6569 1 H2o 1 H2o 2024-11-21 N/A 8.2 HIGH
External Control of File Name or Path in h2oai/h2o-3
CVE-2023-4191 1 Resort Reservation System Project 1 Resort Reservation System 2024-11-21 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, has been found in SourceCodester Resort Reservation System 1.0. Affected by this issue is some unknown functionality of the file index.php. The manipulation of the argument page leads to file inclusion. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-236234 is the identifier assigned to this vulnerability.
CVE-2023-49864 1 Wwbn 1 Avideo 2024-11-21 N/A 6.5 MEDIUM
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_image` parameter.
CVE-2023-49863 1 Wwbn 1 Avideo 2024-11-21 N/A 6.5 MEDIUM
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_webpimage` parameter.
CVE-2023-49862 1 Wwbn 1 Avideo 2024-11-21 N/A 6.5 MEDIUM
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_gifimage` parameter.
CVE-2023-49738 1 Wwbn 1 Avideo 2024-11-21 N/A 7.5 HIGH
An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.
CVE-2023-47862 1 Wwbn 1 Avideo 2024-11-21 N/A 9.8 CRITICAL
A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send a series of HTTP requests to trigger this vulnerability.