ReportizFlow
Filtered by vendor
Subscriptions
Total
422 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-45529 | 1 Sscms | 1 Siteserver Cms | 2025-06-30 | 7.1 High |
| An arbitrary file read vulnerability in the ReadTextAsynchronous function of SSCMS v7.3.1 allows attackers to read arbitrary files via sending a crafted GET request to /cms/templates/templatesAssetsEditor. | ||||
| CVE-2024-48647 | 1 Sage | 2 1000, Sage Frp 1000 | 2025-06-27 | 7.2 High |
| A file disclosure vulnerability exists in Sage 1000 v7.0.0. This vulnerability allows remote attackers to retrieve arbitrary files from the server's file system by manipulating the URL parameter in HTTP requests. The attacker can exploit this flaw to access sensitive information, including configuration files that may contain credentials and system settings, which could lead to further compromise of the server. | ||||
| CVE-2024-50627 | 1 Digi | 7 Connectport Lts 16, Connectport Lts 16 Mei, Connectport Lts 16 Mei 2ac and 4 more | 2025-06-27 | 8.8 High |
| An issue was discovered in Digi ConnectPort LTS before 1.4.12. A Privilege Escalation vulnerability exists in the file upload feature. It allows an attacker on the local area network (with specific permissions) to upload and execute malicious files, potentially leading to unauthorized system access. | ||||
| CVE-2023-52112 | 1 Huawei | 2 Emui, Harmonyos | 2025-06-20 | 5.3 Medium |
| Unauthorized file access vulnerability in the wallpaper service module. Successful exploitation of this vulnerability may cause features to perform abnormally. | ||||
| CVE-2023-45160 | 1 1e | 1 Client | 2025-06-18 | 8.8 High |
| In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files, e.g., to substitute a harmful script. by replacing a resource script file created by an instruction at run time with a malicious script. The 1E Client's temporary directory is now locked down in the released patch. Resolution: This has been fixed in patch Q23094 This issue has also been fixed in the Mac Client in updated versions of Non-Windows release v8.1.2.62 - please re-download from the 1E Support site. Customers with Mac Client versions higher than v8.1 will need to upgrade to v23.11 to remediate this vulnerability. | ||||
| CVE-2023-6266 | 1 Backupbliss | 1 Backup Migration | 2025-06-18 | 7.5 High |
| The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more. | ||||
| CVE-2023-47202 | 1 Trendmicro | 1 Apex One | 2025-06-17 | 7.8 High |
| A local file inclusion vulnerability on the Trend Micro Apex One management server could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | ||||
| CVE-2024-8031 | 1 Wpbookingcalendar | 1 Secure Downloads | 2025-06-12 | 6.5 Medium |
| The Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded. This makes it possible for authenticated attackers, with admin-level access and above, to download arbitrary files that may contain sensitive information like wp-config.php. | ||||
| CVE-2024-24161 | 1 Mrcms | 1 Mrcms | 2025-06-12 | 7.5 High |
| MRCMS 3.0 contains an Arbitrary File Read vulnerability in /admin/file/edit.do as the incoming path parameter is not filtered. | ||||
| CVE-2024-48019 | 1 Apache | 1 Doris | 2025-06-09 | 5.4 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Files or Directories Accessible to External Parties vulnerability in Apache Doris. Application administrators can read arbitrary files from the server filesystem through path traversal. Users are recommended to upgrade to version 2.1.8, 3.0.3 or later, which fixes the issue. | ||||
| CVE-2024-51058 | 1 Tcpdf Project | 1 Tcpdf | 2025-06-03 | 6.2 Medium |
| Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through <img> src tag, potentially exposing sensitive information. | ||||
| CVE-2025-4634 | 2025-05-30 | 4.1 Medium | ||
| The web portal on airpointer 2.4.107-2 was vulnerable local file inclusion. A malicious user with administrative privileges in the web portal would be able to manipulate requests to view files on the filesystem | ||||
| CVE-2025-5273 | 2025-05-29 | 6.5 Medium | ||
| All versions of the package mcp-markdownify-server are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file tool. An attacker can craft a prompt that, once accessed by the MCP host, will allow it to read arbitrary files from the host running the server. | ||||
| CVE-2025-4134 | 2025-05-28 | 7.3 High | ||
| Lack of file validation in do_update_vps in Avast Business Antivirus for Linux 4.5 on Linux allows local user to spoof or tamper with the update file via an unverified file write. | ||||
| CVE-2025-4807 | 1 Senior-walter | 1 Online Student Clearance System | 2025-05-28 | 5.3 Medium |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-4909 | 1 Lerouxyxchire | 1 Client Database Management System | 2025-05-28 | 7.3 High |
| A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-38952 | 1 Zkteco | 1 Biotime | 2025-05-27 | 7.5 High |
| Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints. | ||||
| CVE-2023-5907 | 1 Bitapps | 1 File Manager | 2025-05-27 | 6.5 Medium |
| The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files. | ||||
| CVE-2021-21343 | 7 Apache, Debian, Fedoraproject and 4 more | 21 Activemq, Jmeter, Debian Linux and 18 more | 2025-05-23 | 5.3 Medium |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | ||||
| CVE-2022-41343 | 1 Dompdf Project | 1 Dompdf | 2025-05-22 | 7.5 High |
| registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule. | ||||