Filtered by CWE-22
Filtered by vendor Subscriptions
Total 6776 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-7061 1 Okta 1 Verify 2024-08-28 5.5 Medium
Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking. The vulnerability is fixed in Okta Verify for Windows version 5.0.2. To remediate this vulnerability, upgrade to 5.0.2 or greater.
CVE-2024-41310 1 Yanzhenjie 1 Andserver 2024-08-28 7.5 High
AndServer 2.1.12 is vulnerable to Directory Traversal.
CVE-2024-6141 1 Windscribe 1 Windscribe 2024-08-27 7.8 High
Windscribe Directory Traversal Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Windscribe. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Windscribe Service. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23441.
CVE-2024-7777 1 Bitapps 1 Contact Form Builder 2024-08-26 9 Critical
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in multiple functions in versions 2.0 to 2.13.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVE-2024-45241 1 Centralsquare 1 Crywolf 2024-08-26 7.5 High
A traversal vulnerability in GeneralDocs.aspx in CentralSquare CryWolf (False Alarm Management) through 2024-08-09 allows unauthenticated attackers to read files outside of the working web directory via the rpt parameter, leading to the disclosure of sensitive information.
CVE-2024-45256 1 Malwared 1 Byob 2024-08-26 9.8 Critical
An arbitrary file write issue in the exfiltration endpoint in BYOB (Build Your Own Botnet) 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in file_add in api/files/routes.py.
CVE-2024-21877 1 Enphase 3 Envoy, Iq Gateway, Iq Gateway Firmware 2024-08-23 6.5 Medium
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.This issue affects Envoy: from 4.x to 8.0 and < 8.2.4225.
CVE-2024-21876 1 Enphase 3 Envoy, Iq Gateway, Iq Gateway Firmware 2024-08-23 9.1 Critical
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability via a URL parameter in Enphase IQ Gateway (formerly known as Envoy) allows an unautheticated attacker to access or create arbitratry files.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
CVE-2024-7603 1 Logsign 1 Unified Secops Platform 2024-08-23 8.1 High
Logsign Unified SecOps Platform Directory Traversal Arbitrary Directory Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary directories on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete directories in the context of root. Was ZDI-CAN-25028.
CVE-2024-7602 1 Logsign 1 Unified Secops Platform 2024-08-23 6.5 Medium
Logsign Unified SecOps Platform Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-25027.
CVE-2024-7601 1 Logsign 1 Unified Secops Platform 2024-08-23 8.1 High
Logsign Unified SecOps Platform Directory data_export_delete_all Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-25026.
CVE-2024-7600 1 Logsign 1 Unified Secops Platform 2024-08-23 8.1 High
Logsign Unified SecOps Platform Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the HTTP API service, which listens on TCP port 443 by default. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-25025.
CVE-2024-7634 2024-08-23 4.9 Medium
NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory.
CVE-2024-7263 2 Kingsoft, Microsoft 2 Wps Office, Windows 2024-08-22 7.8 High
Improper path validation in promecefpluginhost.exe in Kingsoft WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive) on Windows allows an attacker to load an arbitrary Windows library. The patch released in version 12.1.0.17119 to mitigate CVE-2024-7262 was not restrictive enough. Another parameter was not properly sanitized which leads to the execution of an arbitrary Windows library.
CVE-2024-41936 1 Vonets 28 Vap11ac, Vap11ac Firmware, Vap11g and 25 more 2024-08-21 7.5 High
A directory traversal vulnerability affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enables an unauthenticated remote attacker to read arbitrary files and bypass authentication.
CVE-2024-7741 2 Ltcms, Wanglongcn 2 Ltcms, Ltcms 2024-08-21 5.3 Medium
A vulnerability was found in wanglongcn ltcms 1.0.20 and classified as critical. This issue affects the function downloadFile of the file /api/file/downloadfile of the component API Endpoint. The manipulation of the argument file leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-43022 1 Tosei 1 Online Store Management System 2024-08-21 7.5 High
An issue in the downloader.php component of TOSEI online store management system v4.02, v4.03, and v4.04 allows attackers to execute a directory traversal.
CVE-2024-7924 1 Zzcms 1 Zzcms 2024-08-21 5.3 Medium
A vulnerability was found in ZZCMS 2023. It has been declared as critical. This vulnerability affects unknown code of the file /I/list.php. The manipulation of the argument skin leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-43232 1 Wponlinesupport 1 Timeline And History Slider 2024-08-21 8.5 High
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP OnlineSupport, Essential Plugin Timeline and History slider allows PHP Local File Inclusion.This issue affects Timeline and History slider: from n/a through 2.3.
CVE-2024-6618 2 Aveva, Ocean Data Systems 2 Reports For Operations 2023, Dream Report 2023 2024-08-20 N/A
In Ocean Data Systems Dream Report, a path traversal vulnerability could allow an attacker to perform remote code execution through the injection of a malicious dynamic-link library (DLL).