Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2018-3758

Summary
Assigner-hackerone
Assigner Org ID-36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At-07 Jun, 2018 | 21:00
Updated At-17 Sep, 2024 | 02:11
Rejected At-
Credits

Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:hackerone
Assigner Org ID:36234546-b8fa-4601-9d6f-f4e334aa8ea1
Published At:07 Jun, 2018 | 21:00
Updated At:17 Sep, 2024 | 02:11
Rejected At:
▼CVE Numbering Authority (CNA)

Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.

Affected Products
Vendor
HackerOneHackerOne
Product
express-cart
Versions
Affected
  • 1.1.7
Problem Types
TypeCWE IDDescription
CWECWE-22Path Traversal (CWE-22)
Type: CWE
CWE ID: CWE-22
Description: Path Traversal (CWE-22)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://hackerone.com/reports/343726
x_refsource_MISC
Hyperlink: https://hackerone.com/reports/343726
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://hackerone.com/reports/343726
x_refsource_MISC
x_transferred
Hyperlink: https://hackerone.com/reports/343726
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:support@hackerone.com
Published At:07 Jun, 2018 | 21:29
Updated At:30 Jan, 2023 | 16:05

Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary2.09.0HIGH
AV:N/AC:L/Au:S/C:C/I:C/A:C
Type: Primary
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 9.0
Base severity: HIGH
Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C
CPE Matches
express-cart_project
express-cart_project
>>express-cart>>Versions before 1.1.7(exclusive)
cpe:2.3:a:express-cart_project:express-cart:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-434Primarynvd@nist.gov
CWE-22Secondarysupport@hackerone.com
CWE ID: CWE-434
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-22
Type: Secondary
Source: support@hackerone.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://hackerone.com/reports/343726support@hackerone.com
Exploit
Patch
Third Party Advisory
Hyperlink: https://hackerone.com/reports/343726
Source: support@hackerone.com
Resource:
Exploit
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

1518Records found
CVE-2017-16172
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.26%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

section2.madisonjbrooks12 is a simple web server. section2.madisonjbrooks12 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-section2.madisonjbrooks12_projectHackerOne
Product-section2.madisonjbrooks12section2.madisonjbrooks12 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16037
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.24%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 19:00
Updated-16 Sep, 2024 | 22:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

`gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allowing attackers to access any file in the system by placing '../' in the URL.

Action-Not Available
Vendor-gomeplus-h5-proxy_projectHackerOne
Product-gomeplus-h5-proxygomeplus-h5-proxy node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16139
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jikes is a file server. jikes is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to files with .htm and .js extensions.

Action-Not Available
Vendor-jikes_projectHackerOne
Product-jikesjikes node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16213
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 03:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

mfrserver is a simple file server. mfrserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-mfrserver_projectHackerOne
Product-mfrservermfrserver node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16094
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.24%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

iter-http is a server for static files. iter-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-iter-http_projectHackerOne
Product-iter-httpiter-http node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16189
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

sly07 is an API for censoring text. sly07 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-sly07_projectHackerOne
Product-sly07sly07 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16170
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

liuyaserver is a static file server. liuyaserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-liuyaserver_projectHackerOne
Product-liuyaserverliuyaserver node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16101
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

serverwg is a simple http server. serverwg is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Action-Not Available
Vendor-serverwg_projectHackerOne
Product-serverwgserverwg node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16124
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.24%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

node-server-forfront is a simple static file server. node-server-forfront is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-node-server-forfront_projectHackerOne
Product-node-server-forfrontnode-server-forfront node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16176
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jansenstuffpleasework is a file server. jansenstuffpleasework is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-jansenstuffpleasework_projectHackerOne
Product-jansenstuffpleaseworkjansenstuffpleasework node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16097
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 00:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

tiny-http is a simple http server. tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-tiny-http_projectHackerOne
Product-tiny-httptiny-http node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16174
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

whispercast is a file server. whispercast is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-whispercast_projectHackerOne
Product-whispercastwhispercast node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16179
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-1.70% / 74.26%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 23:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dasafio is a web server. dasafio is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. File access is restricted to only .html files.

Action-Not Available
Vendor-dasafio_projectHackerOne
Product-dasafiodasafio node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16107
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

pooledwebsocket is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-pooledwebsocket_projectHackerOne
Product-pooledwebsocketpooledwebsocket node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16178
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.24%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

intsol-package is a file server. intsol-package is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-intsol-package_projectHackerOne
Product-intsol-packageintsol-package node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16140
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

lab6.brit95 is a file server. lab6.brit95 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-lab6.brit95_projectHackerOne
Product-lab6.brit95lab6.brit95 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16134
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.26%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 23:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

http_static_simple is an http server. http_static_simple is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-http_static_simple_projectHackerOne
Product-http_static_simplehttp_static_simple node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16219
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.24%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

yttivy is a static file server. yttivy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-yttivy_projectHackerOne
Product-yttivyyttivy node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16184
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

scott-blanch-weather-app is a sample Node.js app using Express 4. scott-blanch-weather-app is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-scott-blanch-weather-app_projectHackerOne
Product-scott-blanch-weather-appscott-blanch-weather-app node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16104
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

citypredict.whauwiller is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-citypredict.whauwiller_projectHackerOne
Product-citypredict.whauwillercitypredict.whauwiller node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16188
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

reecerver is a web server. reecerver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-reecerver_projectHackerOne
Product-reecerverreecerver node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16089
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

serverlyr is a simple http server. serverlyr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Action-Not Available
Vendor-serverlyr_projectHackerOne
Product-serverlyrserverlyr node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16197
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-3.19% / 86.44%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

qinserve is a static file server. qinserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-qinserve_projectHackerOne
Product-qinserveqinserve node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16152
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

static-html-server is a static file server. static-html-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-static-html-server_projectHackerOne
Product-static-html-serverstatic-html-server node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16133
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.26%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 23:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

goserv is an http server. goserv is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-goserv_projectHackerOne
Product-goservgoserv node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16158
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dcserver is a static file server. dcserver is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-dcserver_projectHackerOne
Product-dcserverdcserver node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16218
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

dgard8.lab6 is a static file server. dgard8.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-dgard8.lab6_projectHackerOne
Product-dgard8.lab6dgard8.lab6 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16217
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

fbr-client sends files through sockets via socket.io and webRTC. fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-webrtc-experimentHackerOne
Product-fbr-clientfbr-client node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16131
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.26%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

unicorn-list is a web framework. unicorn-list is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-unicorn-list_projectHackerOne
Product-unicorn-listunicorn-list node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16155
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

fast-http-cli is the command line interface for fast-http, a simple web server. fast-http-cli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-fast-http-cli_projectHackerOne
Product-fast-http-clifast-http-cli node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16039
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.24%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 19:00
Updated-17 Sep, 2024 | 02:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

`hftp` is a static http or ftp server `hftp` is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-hftp_projectHackerOne
Product-hftphftp node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16210
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

jn_jj_server is a static file server. jn_jj_server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-jn_jj_server_projectHackerOne
Product-jn_jj_serverjn_jj_server node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16153
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-1.75% / 75.00%
||
7 Day CHG~0.00%
Published-29 May, 2018 | 20:00
Updated-16 Sep, 2024 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

gaoxuyan is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-gaoxuyan_projectHackerOne
Product-gaoxuyangaoxuyan node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16150
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 03:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

wanggoujing123 is a simple webserver. wanggoujing123 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-wanggoujing123_projectHackerOne
Product-wanggoujing123wangguojing123 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16223
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-nodeaaaaa_projectHackerOne
Product-nodeaaaaanodeaaaaa node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16160
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

11xiaoli is a simple file server. 11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-11xiaoli_projectHackerOne
Product-11xiaoli11xiaoli node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16161
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 16:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

shenliru is a simple file server. shenliru is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-shenliru_projectHackerOne
Product-shenlirushenliru node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16095
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.24%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-17 Sep, 2024 | 01:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

serverliujiayi1 is a simple http server. serverliujiayi1 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Action-Not Available
Vendor-serverliujiayi1_projectHackerOne
Product-serverliujiayi1serverliujiayi1 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16038
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.54% / 82.95%
||
7 Day CHG~0.00%
Published-04 Jun, 2018 | 19:00
Updated-16 Sep, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by `f2e-server` requiring elevated privileges to run.

Action-Not Available
Vendor-f2e-server_projectHackerOne
Product-f2e-serverf2e-server node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16091
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-1.79% / 75.56%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

xtalk helps your browser talk to nodex, a simple web framework. xtalk is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.

Action-Not Available
Vendor-xtalk_projectHackerOne
Product-xtalkxtalk node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16090
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.24%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

fsk-server is a simple http server. fsk-server is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-fsk-server_projectHackerOne
Product-fsk-serverfsk-server node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16144
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.23%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 18:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

myserver.alexcthomas18 is a file server. myserver.alexcthomas18 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-myserver.alexcthomas18_projectHackerOne
Product-myserver.alexcthomas18myserver.alexcthomas18 node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2017-16157
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.00% / 78.25%
||
7 Day CHG~0.00%
Published-07 Jun, 2018 | 02:00
Updated-16 Sep, 2024 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

censorify.tanisjr is a simple web server and API RESTful service. censorify.tanisjr is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.

Action-Not Available
Vendor-censorify.tanisjr_projectHackerOne
Product-censorify.tanisjrcensorify.tanisjr node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2016-10561
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-5.3||MEDIUM
EPSS-1.50% / 70.84%
||
7 Day CHG~0.00%
Published-31 May, 2018 | 20:00
Updated-17 Sep, 2024 | 04:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bitty is a development web server tool that functions similar to `python -m SimpleHTTPServer`. Version 0.2.10 has a directory traversal vulnerability that is exploitable via the URL path in GET requests.

Action-Not Available
Vendor-bitty_projectHackerOne
Product-bittybitty node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2016-10538
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-3.5||LOW
EPSS-0.99% / 57.99%
||
7 Day CHG~0.00%
Published-31 May, 2018 | 20:00
Updated-17 Sep, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.

Action-Not Available
Vendor-cli_projectDebian GNU/LinuxHackerOne
Product-debian_linuxclicli node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2016-10528
Matching Score-6
Assigner-HackerOne
ShareView Details
Matching Score-6
Assigner-HackerOne
CVSS Score-4.9||MEDIUM
EPSS-1.20% / 64.12%
||
7 Day CHG~0.00%
Published-31 May, 2018 | 20:00
Updated-17 Sep, 2024 | 01:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it specified.

Action-Not Available
Vendor-restafary_projectHackerOne
Product-restafaryrestafary node module
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-22629
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-12.32% / 95.68%
||
7 Day CHG~0.00%
Published-14 Feb, 2023 | 00:00
Updated-20 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in TitanFTP through 1.94.1205. The move-file function has a path traversal vulnerability in the newPath parameter. An authenticated attacker can upload any file and then move it anywhere on the server's filesystem.

Action-Not Available
Vendor-southrivertechn/a
Product-titan_ftp_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-51499
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.70% / 48.11%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 19:52
Updated-04 Sep, 2025 | 17:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MarkUs Arbitrary File Write leading up to remote code execution (student accounts)

MarkUs is a web application for the submission and grading of student assignments. In versions prior to 2.4.8, an arbitrary file write vulnerability accessible via the update_files method of the SubmissionsController allows authenticated users (e.g. students) to write arbitrary files to any location on the web server MarkUs is running on (depending on the permissions of the underlying filesystem). e.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. MarkUs v2.4.8 has addressed this issue. No known workarounds are available at the application level aside from upgrading.

Action-Not Available
Vendor-markusprojectMarkUsProject
Product-markusMarkus
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2019-11074
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-4.54% / 90.34%
||
7 Day CHG~0.00%
Published-17 Mar, 2020 | 14:06
Updated-04 Aug, 2024 | 22:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Write to Arbitrary Location in Disk vulnerability exists in PRTG Network Monitor 19.1.49 and below that allows attackers to place files in arbitrary locations with SYSTEM privileges (although not controlling the contents of such files) due to insufficient sanitisation when passing arguments to the phantomjs.exe binary. In order to exploit the vulnerability, remote authenticated administrators need to create a new HTTP Full Web Page Sensor and set specific settings when executing the sensor.

Action-Not Available
Vendor-paesslern/a
Product-prtg_network_monitorn/a
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-5145
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.71% / 48.79%
||
7 Day CHG~0.00%
Published-20 May, 2024 | 22:31
Updated-10 Feb, 2025 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Vehicle Management System HTTP POST Request newdriver.php unrestricted upload

A vulnerability was found in SourceCodester Vehicle Management System up to 1.0 and classified as critical. This issue affects some unknown processing of the file /newdriver.php of the component HTTP POST Request Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-265289 was assigned to this vulnerability.

Action-Not Available
Vendor-warrendaloyanSourceCodester
Product-vehicle_management_systemVehicle Management System
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 30
  • 31
  • Next
Details not found