Total
7200 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27473 | 1 Rockwellautomation | 1 Connected Components Workbench | 2024-11-21 | 6.9 MEDIUM | 6.1 MEDIUM |
| Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful. | |||||
| CVE-2021-27471 | 1 Rockwellautomation | 1 Connected Components Workbench | 2024-11-21 | 6.8 MEDIUM | 7.7 HIGH |
| The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by Rockwell Automation Connected Components Workbench v12.00.00 and prior, can traverse the file system. If successfully exploited, an attacker could overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful. | |||||
| CVE-2021-27461 | 1 Emerson | 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected webserver applications allow access to stored data that can be obtained by using specially crafted URLs. | |||||
| CVE-2021-27402 | 1 Mitel | 1 Micollab | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL validation, aka Directory Traversal. | |||||
| CVE-2021-27367 | 1 Boltcms | 1 Bolt | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Controller/Backend/FileEditController.php and Controller/Backend/FilemanagerController.php in Bolt before 4.1.13 allow Directory Traversal. | |||||
| CVE-2021-27341 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter. | |||||
| CVE-2021-27328 | 1 Yeastar | 2 Neogate Tg400, Neogate Tg400 Firmware | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key. | |||||
| CVE-2021-27278 | 1 Parallels | 1 Parallels Desktop | 2024-11-21 | 4.6 MEDIUM | 8.2 HIGH |
| This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.1.1-49141. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the current user on the host system. Was ZDI-CAN-12130. | |||||
| CVE-2021-27276 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
| This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the MibController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12122. | |||||
| CVE-2021-27275 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
| This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ConfigFileController class. When parsing the realName parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-12125. | |||||
| CVE-2021-27272 | 1 Netgear | 1 Prosafe Network Management System | 2024-11-21 | 7.5 HIGH | 7.1 HIGH |
| This vulnerability allows remote attackers to delete arbitrary files on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ReportTemplateController class. When parsing the path parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12123. | |||||
| CVE-2021-27030 | 1 Autodesk | 1 Fbx Review | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| A user may be tricked into opening a malicious FBX file which may exploit a Directory Traversal Remote Code Execution vulnerability in FBX’s Review causing it to run arbitrary code on the system. | |||||
| CVE-2021-26814 | 1 Wazuh | 1 Wazuh | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service script. | |||||
| CVE-2021-26736 | 1 Zscaler | 1 Client Connector | 2024-11-21 | N/A | 6.7 MEDIUM |
| Multiple vulnerabilities in the Zscaler Client Connector Installer and Uninstaller for Windows prior to 3.6 allowed execution of binaries from a low privileged path. A local adversary may be able to execute code with SYSTEM privileges. | |||||
| CVE-2021-26725 | 1 Nozominetworks | 2 Central Management Control, Guardian | 2024-11-21 | 4.0 MEDIUM | 7.2 HIGH |
| Path Traversal vulnerability when changing timezone using web GUI of Nozomi Networks Guardian, CMC allows an authenticated administrator to read-protected system files. This issue affects: Nozomi Networks Guardian 20.0.7.3 version 20.0.7.3 and prior versions. Nozomi Networks CMC 20.0.7.3 version 20.0.7.3 and prior versions. | |||||
| CVE-2021-26719 | 1 Gradle | 3 Enterprise Test Distribution Agent, Maven, Test Distribution | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before 1.8.2. A malicious actor (with certain credentials) can perform a registration step such that crafted TAR archives lead to extraction of files into arbitrary filesystem locations. | |||||
| CVE-2021-26629 | 2 Microsoft, Tobesoft | 2 Windows, Xplatform | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A path traversal vulnerability in XPLATFORM's runtime archive function could lead to arbitrary file creation. When the .xzip archive file is decompressed, an arbitrary file can be d in the parent path by using the path traversal pattern ‘..\’. | |||||
| CVE-2021-26619 | 2 Bigfile, Microsoft | 2 Bigfileagent, Windows | 2024-11-21 | 6.4 MEDIUM | 7.1 HIGH |
| An path traversal vulnerability leading to delete arbitrary files was discovered in BigFileAgent. Remote attackers can use this vulnerability to delete arbitrary files of unspecified number of users. | |||||
| CVE-2021-26601 | 1 Impresscms | 1 Impresscms | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| ImpressCMS before 1.4.3 allows libraries/image-editor/image-edit.php image_temp Directory Traversal. | |||||
| CVE-2021-26575 | 1 Hpe | 2 Apollo 70 System, Baseboard Management Controller | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 System prior to version 3.0.14.0 has a path traversal vulnerability in libifc.so webdeletesolvideofile function. | |||||