Total
7224 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39345 | 1 Gin-vue-admin Project | 1 Gin-vue-admin | 2024-11-21 | N/A | 9.8 CRITICAL |
| Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. Gin-vue-admin prior to 2.5.4 is vulnerable to path traversal, which leads to file upload vulnerabilities. Version 2.5.4 contains a patch for this issue. There are no workarounds aside from upgrading to a patched version. | |||||
| CVE-2022-39296 | 1 Melistechnology | 1 Melis-asset-manager | 2024-11-21 | N/A | 8.6 HIGH |
| MelisAssetManager provides deliveries of Melis Platform's assets located in every module's public folder. Attackers can read arbitrary files on affected versions of `melisplatform/melis-asset-manager`, leading to the disclosure of sensitive information. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-asset-manager` >= 5.0.1. This issue was addressed by restricting access to files to intended directories only. | |||||
| CVE-2022-39261 | 4 Debian, Drupal, Fedoraproject and 1 more | 4 Debian Linux, Drupal, Fedora and 1 more | 2024-11-21 | N/A | 7.5 HIGH |
| Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading. | |||||
| CVE-2022-39221 | 2 Mcwebserver Minecraft Mod For Fabric And Quilt Project, Mcwebserver Minecraft Mod For Forge Project | 2 Mcwebserver Minecraft Mod For Fabric And Quilt, Mcwebserver Minecraft Mod For Forge | 2024-11-21 | N/A | 7.5 HIGH |
| McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the `mods` directory. | |||||
| CVE-2022-39210 | 1 Nextcloud | 1 Nextcloud | 2024-11-21 | N/A | 3.2 LOW |
| Nextcloud android is the official Android client for the Nextcloud home server platform. Internal paths to the Nextcloud Android app files are not properly protected. As a result access to internal files of the from within the Nextcloud Android app is possible. This may lead to a leak of sensitive information in some cases. It is recommended that the Nextcloud Android app is upgraded to 3.21.0. There are no known workarounds for this issue. | |||||
| CVE-2022-39059 | 1 Changingtec | 1 Megaservisignadapter | 2024-11-21 | N/A | 7.5 HIGH |
| ChangingTech MegaServiSignAdapter component has a path traversal vulnerability within its file reading function. An unauthenticated remote attacker can exploit this vulnerability to access arbitrary system files. | |||||
| CVE-2022-39058 | 1 Changingtec | 1 Rava Certificate Validation System | 2024-11-21 | N/A | 7.5 HIGH |
| RAVA certification validation system has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and access arbitrary system files. | |||||
| CVE-2022-39045 | 1 Siretta | 2 Quartz-gold, Quartz-gold Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2022-39040 | 1 Aenrich | 1 A\+hrd | 2024-11-21 | N/A | 7.5 HIGH |
| aEnrich a+HRD log read function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files. | |||||
| CVE-2022-39037 | 1 Flowring | 1 Agentflow | 2024-11-21 | N/A | 7.5 HIGH |
| Agentflow BPM file download function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and download arbitrary system files. | |||||
| CVE-2022-39034 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 6.5 MEDIUM |
| Smart eVision has a path traversal vulnerability in the Report API function due to insufficient filtering for special characters in URLs. A remote attacker with general user privilege can exploit this vulnerability to bypass authentication, access restricted paths and download system files. | |||||
| CVE-2022-39033 | 1 Lcnet | 1 Smart Evision | 2024-11-21 | N/A | 9.8 CRITICAL |
| Smart eVision’s file acquisition function has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication, access restricted paths to download and delete arbitrary system files to disrupt service. | |||||
| CVE-2022-39023 | 1 Edetw | 1 U-office Force | 2024-11-21 | N/A | 6.5 MEDIUM |
| U-Office Force Download function has a path traversal vulnerability. A remote attacker with general user privilege can exploit this vulnerability to download arbitrary system file. | |||||
| CVE-2022-39022 | 1 Edetw | 1 U-office Force | 2024-11-21 | N/A | 6.5 MEDIUM |
| U-Office Force Download function has a path traversal vulnerability. A remote attacker with general user privilege can exploit this vulnerability to download arbitrary system file. | |||||
| CVE-2022-38794 | 1 Zaver Project | 1 Zaver | 2024-11-21 | N/A | 7.5 HIGH |
| Zaver through 2020-12-15 allows directory traversal via the GET /.. substring. | |||||
| CVE-2022-38638 | 1 Casbin | 1 Casdoor | 2024-11-21 | N/A | 9.1 CRITICAL |
| Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource. | |||||
| CVE-2022-38614 | 1 Bpcbt | 1 Smartvista Cardgen | 2024-11-21 | N/A | 7.5 HIGH |
| An issue in the IGB Files and OutfileService features of SmartVista Cardgen v3.28.0 allows attackers to list and download arbitrary files via modifying the PATH parameter. | |||||
| CVE-2022-38613 | 1 Bpcbt | 1 Smartvista Cardgen | 2024-11-21 | N/A | 6.5 MEDIUM |
| A Path Traversal vulnerability in SmartVista Cardgen v3.28.0 allows authenticated attackers to read arbitrary files in the system. | |||||
| CVE-2022-38485 | 1 Agevolt | 1 Agevolt | 2024-11-21 | N/A | 6.5 MEDIUM |
| A directory traversal vulnerability exists in the AgeVolt Portal prior to version 0.1 that leads to Information Disclosure. A remote authenticated attacker could leverage this vulnerability to read files from any location on the target operating system with web server privileges. | |||||
| CVE-2022-38484 | 1 Agevolt | 1 Agevolt | 2024-11-21 | N/A | 8.8 HIGH |
| An arbitrary file upload and directory traversal vulnerability exist in the file upload functionality of the System Setup menu in AgeVolt Portal prior to version 0.1. A remote authenticated attacker could leverage this vulnerability to upload files to any location on the target operating system with web server privileges. | |||||