Total
7020 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15516 | 1 Cuberite | 1 Cuberite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Cuberite before 2019-06-11 allows webadmin directory traversal via ....// because the protection mechanism simply removes one ../ substring. | |||||
| CVE-2019-15326 | 1 Codection | 1 Import Users From Csv With Meta | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal. | |||||
| CVE-2019-15323 | 1 Ad Inserter Project | 1 Ad Inserter | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The ad-inserter plugin before 2.4.20 for WordPress has path traversal. | |||||
| CVE-2019-15266 | 1 Cisco | 1 Wireless Lan Controller Software | 2024-11-21 | 2.1 LOW | 4.4 MEDIUM |
| A vulnerability in the CLI of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, local attacker to view system files that should be restricted. This vulnerability is due to improper sanitization of user-supplied input in command-line parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. A successful exploit could allow the attacker to view system files that may contain sensitive information. | |||||
| CVE-2019-15055 | 1 Mikrotik | 1 Routeros | 2024-11-21 | 5.5 MEDIUM | 6.5 MEDIUM |
| MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication. | |||||
| CVE-2019-15039 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1. | |||||
| CVE-2019-15004 | 1 Atlassian | 1 Jira Service Desk | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. | |||||
| CVE-2019-15003 | 1 Atlassian | 1 Jira Service Desk | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via authorization bypass. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. | |||||
| CVE-2019-14994 | 1 Atlassian | 1 Jira Service Desk | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. | |||||
| CVE-2019-14914 | 1 Prise | 1 Adas | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
| An issue was discovered in PRiSE adAS 1.7.0. The path is not properly escaped in the medatadata_del method, leading to an arbitrary file read and deletion via Directory Traversal. | |||||
| CVE-2019-14798 | 1 10web | 1 Photo Gallery | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter. | |||||
| CVE-2019-14788 | 1 Tribulant | 1 Newsletters | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. | |||||
| CVE-2019-14768 | 1 Dimo-crm | 1 Yellowbox Crm | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| An Arbitrary File Upload issue in the file browser of DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to deploy a new WebApp WAR file to the Tomcat server via Path Traversal, allowing remote code execution with SYSTEM privileges. | |||||
| CVE-2019-14767 | 1 Dimo-crm | 1 Yellowbox Crm | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In DIMO YellowBox CRM before 6.3.4, Path Traversal in images/Apparence (dossier=../) and servletrecuperefichier (document=../) allows an unauthenticated user to download arbitrary files from the server. | |||||
| CVE-2019-14766 | 1 Dimo-crm | 1 Yellowbox Crm | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Path Traversal in the file browser of DIMO YellowBox CRM before 6.3.4 allows a standard authenticated user to browse the server filesystem. | |||||
| CVE-2019-14751 | 1 Nltk | 1 Nltk | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction. | |||||
| CVE-2019-14701 | 1 Microdigital | 6 Mdc-n2190v, Mdc-n2190v Firmware, Mdc-n4090 and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can trigger read operations on an arbitrary file via Path Traversal in the TZ parameter, but cannot retrieve the data that is read. This causes a denial of service if the filename is, for example, /dev/random. | |||||
| CVE-2019-14700 | 1 Microdigital | 6 Mdc-n2190v, Mdc-n2190v Firmware, Mdc-n4090 and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. There is disclosure of the existence of arbitrary files via Path Traversal in HTTPD. This occurs because the filename specified in the TZ parameter is accessed with a substantial delay if that file exists. | |||||
| CVE-2019-14657 | 1 Yeahlink | 6 T49g, T49g Firmware, T58v and 3 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Yealink phones through 2019-08-04 have an issue with OpenVPN file upload. They execute tar as root to extract files, but do not validate the extraction directory. Creating a tar file with ../../../../ allows replacement of almost any file on a phone. This leads to password replacement and arbitrary code execution as root. | |||||
| CVE-2019-14530 | 1 Open-emr | 1 Openemr | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server. | |||||