Total
89 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-57785 | 2025-02-04 | N/A | 4.9 MEDIUM | ||
| Zenitel AlphaWeb XE v11.2.3.10 was discovered to contain a local file inclusion vulnerability via the component amc_uploads.php. | |||||
| CVE-2023-31814 | 1 Dlink | 2 Dir-300, Dir-300 Firmware | 2025-01-17 | N/A | 9.8 CRITICAL |
| D-Link DIR-300 firmware <=REVA1.06 and <=REVB2.06 is vulnerable to File inclusion via /model/__lang_msg.php. | |||||
| CVE-2023-27561 | 3 Debian, Linuxfoundation, Redhat | 4 Debian Linux, Runc, Enterprise Linux and 1 more | 2024-12-06 | N/A | 7.0 HIGH |
| runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. | |||||
| CVE-2024-37150 | 1 Deno | 1 Deno | 2024-11-21 | N/A | 7.6 HIGH |
| An issue in `.npmrc` support in Deno 1.44.0 was discovered where Deno would send `.npmrc` credentials for the scope to the tarball URL when the registry provided URLs for a tarball on a different domain. All users relying on .npmrc are potentially affected by this vulnerability if their private registry references tarball URLs at a different domain. This includes usage of deno install subcommand, auto-install for npm: specifiers and LSP usage. It is recommended to upgrade to Deno 1.44.1 and if your private registry ever serves tarballs at a different domain to rotate your registry credentials. | |||||
| CVE-2023-42451 | 1 Joinmastodon | 1 Mastodon | 2024-11-21 | N/A | 7.4 HIGH |
| Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue. | |||||
| CVE-2023-34092 | 1 Vitejs | 1 Vite | 2024-11-21 | N/A | 7.5 HIGH |
| Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16. | |||||
| CVE-2023-28643 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 5.5 MEDIUM |
| Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user. | |||||
| CVE-2022-41874 | 1 Tauri | 1 Tauri | 2024-11-21 | N/A | 2.6 LOW |
| Tauri is a framework for building binaries for all major desktop platforms. In versions prior to 1.0.7 and 1.1.2, Tauri is vulnerable to an Incorrectly-Resolved Name. Due to incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality, it is possible to partially bypass the `fs` scope definition. It is not possible to traverse into arbitrary paths, as the issue is limited to neighboring files and sub folders of already allowed paths. The impact differs on Windows, MacOS and Linux due to different specifications of valid path characters. This bypass depends on the file picker dialog or dragged files, as user selected paths are automatically added to the allow list at runtime. A successful bypass requires the user to select a pre-existing malicious file or directory during the file picker dialog and an adversary controlled logic to access these files. The issue has been patched in versions 1.0.7, 1.1.2 and 1.2.0. As a workaround, disable the dialog and fileDropEnabled component inside the tauri.conf.json. | |||||
| CVE-2022-31089 | 1 Parseplatform | 1 Parse-server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as single instance without redundancy, the availability impact may be high. This issue has been addressed in versions 4.10.12 and 5.2.3. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-30621 | 1 Cellinx | 2 Cellinx Nvt - Ip Ptz Camera, Cellinx Nvt - Ip Ptz Camera Firmware | 2024-11-21 | N/A | 7.6 HIGH |
| Allows a remote user to read files on the camera's OS "GetFileContent.cgi". Reading arbitrary files on the camera's OS as root user. | |||||
| CVE-2022-29448 | 1 Wow-estore | 1 Herd Effects | 2024-11-21 | 4.0 MEDIUM | 6.8 MEDIUM |
| Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress. | |||||
| CVE-2022-27778 | 4 Haxx, Netapp, Oracle and 1 more | 19 Curl, Active Iq Unified Manager, Bh500s Firmware and 16 more | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`. | |||||
| CVE-2022-0855 | 1 Microweber | 1 Whmcs | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| Improper Resolution of Path Equivalence in GitHub repository microweber-dev/whmcs_plugin prior to 0.0.4. | |||||
| CVE-2021-40856 | 1 Auerswald | 6 Comfortel 1400 Ip, Comfortel 1400 Ip Firmware, Comfortel 2600 Ip and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring. | |||||
| CVE-2021-39156 | 1 Istio | 1 Istio | 2024-11-21 | 5.0 MEDIUM | 8.1 HIGH |
| Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path. | |||||
| CVE-2021-37144 | 1 Cszcms | 1 Csz Cms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. | |||||
| CVE-2021-32054 | 1 Fire.ly | 1 Spark | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser. | |||||
| CVE-2021-31933 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution. | |||||
| CVE-2021-31920 | 1 Istio | 1 Istio | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. | |||||
| CVE-2021-27306 | 1 Konghq | 1 Kong Gateway | 2024-11-21 | 4.3 MEDIUM | 7.5 HIGH |
| An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT. | |||||