grav is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)

Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.

Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.

Certain NETGEAR devices are affected by directory traversal. This affects M4300-28G before 12.0.2.15, M4300-52G before 12.0.2.15, M4300-28G-POE+ before 12.0.2.15, M4300-52G-POE+ before 12.0.2.15, M4300-8X8F before 12.0.2.15, M4300-12X12F before 12.0.2.15, M4300-24X24F before 12.0.2.15, M4300-24X before 12.0.2.15, M4300-48X before 12.0.2.15, and M4200 before 12.0.2.15.

Leptonica 1.74.4 constructs unintended pathnames (containing duplicated path components) when operating on files in /tmp subdirectories, which might allow local users to bypass intended file restrictions by leveraging access to a directory located deeper within the /tmp directory tree, as demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif.

A path handling issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to read arbitrary files.

Directory traversal vulnerability in the server in IBM Rational Software Architect Design Manager and Rhapsody Design Manager 3.x and 4.x before 4.0.5 allows local users to read arbitrary files via vectors involving temporary files.

Directory traversal vulnerability in the client in IBM Rational Software Architect Design Manager and Rhapsody Design Manager 3.x and 4.x before 4.0.5 allows local users to read arbitrary files via vectors involving temporary files.

An issue in Super easy enterprise management system v.1.0.0 and before allows a local attacker to obtain the server absolute path by entering a single quotation mark.

Directory traversal vulnerability in naxsi-ui/nx_extract.py in the Naxsi module before 0.46-1 for Nginx allows local users to read arbitrary files via unspecified vectors.

Function check_attachment_for_errors() in file data/general-hooks/ubuntu.py could be tricked into exposing private data via a constructed crash file. This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3;

An information disclosure via path traversal was discovered in apport/hookutils.py function read_file(). This issue affects: apport 2.14.1 versions prior to 2.14.1-0ubuntu3.29+esm8; 2.20.1 versions prior to 2.20.1-0ubuntu2.30+esm2; 2.20.9 versions prior to 2.20.9-0ubuntu7.26; 2.20.11 versions prior to 2.20.11-0ubuntu27.20; 2.20.11 versions prior to 2.20.11-0ubuntu65.3;

A vulnerability in the debug shell of Cisco IP Phone software could allow an authenticated, local attacker to read any file on the device file system. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by providing crafted input to a debug shell command. A successful exploit could allow the attacker to read any file on the device file system.

Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled location. This occurs during use of local JWT validation with the posix fs driver.

A vulnerability in Brocade Fabric OS versions 7.4.1b and 7.3.1d could allow local users to conduct privileged directory transversal. Brocade Fabric OS versions 7.4.1.x and 7.3.x have reached end of life. Brocade Fabric OS Users should upgrade to supported versions as described in the Product End-of-Life published report.

Dell Repository Manager, versions 3.4.2 through 3.4.4,contains a Path Traversal vulnerability in logger module. A local attacker with low privileges could potentially exploit this vulnerability to gain unauthorized read access to the files stored on the server filesystem with the privileges of the running web application.

Leanote version 2.7.0 allows obtaining arbitrary local files. This is possible because the application is vulnerable to LFR.

A vulnerability in the CLI of Cisco Aironet Access Points (APs) could allow an authenticated, local attacker to access sensitive information stored in an AP. The vulnerability is due to improper sanitization of user-supplied input in specific CLI commands. An attacker could exploit this vulnerability by accessing the CLI of an affected AP with administrator privileges and issuing crafted commands that result in directory traversal. A successful exploit could allow the attacker to view system files on the affected device, which could contain sensitive information. Software versions 8.8 and 8.9 are affected.

A vulnerability in the CLI of Cisco Wireless LAN Controller (WLC) Software could allow an authenticated, local attacker to view system files that should be restricted. This vulnerability is due to improper sanitization of user-supplied input in command-line parameters that describe filenames. An attacker could exploit this vulnerability by using directory traversal techniques to submit a path to a desired file location. A successful exploit could allow the attacker to view system files that may contain sensitive information.

The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory. NOTE: The vendor states that this is analogous to Options FollowSymlinks in the Apache HTTP Server, and therefore it is "not a problem.

Improper Input Validation vulnerability in HYPR Workforce Access on Windows allows Path Traversal.This issue affects Workforce Access: before 8.7.

A path traversal vulnerability in NFX150 Series and QFX10K Series, EX9200 Series, MX Series and PTX Series devices with Next-Generation Routing Engine (NG-RE) allows a local authenticated user to read sensitive system files. This issue only affects NFX150 Series and QFX10K Series, EX9200 Series, MX Series and PTX Series with Next-Generation Routing Engine (NG-RE) which uses vmhost. This issue affects Juniper Networks Junos OS on NFX150 Series and QFX10K, EX9200 Series, MX Series and PTX Series with NG-RE and vmhost: 15.1F versions prior to 15.1F6-S12 16.1 versions starting from 16.1R6 and later releases, including the Service Releases, prior to 16.1R6-S6, 16.1R7-S3; 17.1 versions prior to 17.1R3; 17.2 versions starting from 17.2R1-S3, 17.2R3 and later releases, including the Service Releases, prior to 17.2R3-S1; 17.3 versions starting from 17.3R1-S1, 17.3R2 and later releases, including the Service Releases, prior to 17.3R3-S3; 17.4 versions starting from 17.4R1 and later releases, including the Service Releases, prior to 17.4R1-S6, 17.4R2-S2, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S2, 18.3R2; 18.4 versions prior to 18.4R1-S1, 18.4R2. This issue does not affect: Juniper Networks Junos OS 15.1 and 16.2.

Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory. No publicly available exploits are known.

Path traversal vulnerability in the virtualization base module. Successful exploitation of this vulnerability may affect the confidentiality of the virtualization module.

A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.

autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.

Path traversal vulnerability in Galaxy Themes Service prior to SMR Mar-2023 Release 1 allows attacker to access arbitrary file with system uid.

There is a path traversal vulnerability in some Huawei products. The vulnerability is due to that the software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly validate the pathname. Successful exploit could allow the attacker to access a location that is outside of the restricted directory by a crafted filename. Affected product versions include:HUAWEI Mate 20 9.0.0.195(C01E195R2P1), 9.1.0.139(C00E133R3P1);HUAWEI Mate 20 Pro 9.0.0.187(C432E10R1P16), 9.0.0.188(C185E10R2P1), 9.0.0.245(C10E10R2P1), 9.0.0.266(C432E10R1P16), 9.0.0.267(C636E10R2P1), 9.0.0.268(C635E12R1P16), 9.0.0.278(C185E10R2P1); Hima-L29C 9.0.0.105(C10E9R1P16), 9.0.0.105(C185E9R1P16), 9.0.0.105(C636E9R1P16); Laya-AL00EP 9.1.0.139(C786E133R3P1); OxfordS-AN00A 10.1.0.223(C00E210R5P1); Tony-AL00B 9.1.0.257(C00E222R2P1).

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5. Affected is the function sub_1DF14 of the file /cgi-bin/mainfunction.cgi of the component Web Management Interface. The manipulation of the argument option with the input /../etc/passwd- leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-221742 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

A path handling issue was addressed with improved validation. This issue is fixed in macOS Sonoma 14.6, iOS 17.6 and iPadOS 17.6. An app may be able to access protected user data.

A path handling issue was addressed with improved validation. This issue is fixed in macOS Sonoma 14.4. An app may be able to access user-sensitive data.

Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.

An issue was discovered in fs/io_uring.c in the Linux kernel before 5.6. It unsafely handles the root directory during path lookups, and thus a process inside a mount namespace can escape to unintended filesystem locations, aka CID-ff002b30181d.

A Local File Inclusion (LFI) vulnerability exists in the Web Interface API of TightRope Media Carousel Digital Signage before 7.3.5. The RenderingFetch API allows for the downloading of arbitrary files through the use of directory traversal sequences, aka CSL-1683.

A directory traversal vulnerability exists in the F5OS QKView utility that allows an authenticated attacker to read files outside the QKView directory.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

NVIDIA BMC contains a vulnerability in SPX REST API, where an authorized attacker can access arbitrary files, which may lead to information disclosure.

In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.4.0, a directory traversal vulnerability exists in an undisclosed location of the F5OS CLI that allows an attacker to read arbitrary files.

Nextcloud android is the official Android client for the Nextcloud home server platform. Internal paths to the Nextcloud Android app files are not properly protected. As a result access to internal files of the from within the Nextcloud Android app is possible. This may lead to a leak of sensitive information in some cases. It is recommended that the Nextcloud Android app is upgraded to 3.21.0. There are no known workarounds for this issue.

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability.

A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.

Improper access control and path traversal vulnerability in LauncherProvider prior to SMR Aug-2022 Release 1 allow local attacker to access files of One UI.

A flaw was found in Wildfly 9.x. A path traversal vulnerability through the org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource method could lead to information disclosure of arbitrary local files.

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment.

Multiple vulnerabilities in Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an attacker to conduct path traversal attacks, view sensitive data, or write arbitrary files on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment.

A vulnerability was found in networkd-dispatcher. This flaw exists because no functions are sanitized by the OperationalState or the AdministrativeState of networkd-dispatcher. This attack leads to a directory traversal to escape from the “/etc/networkd-dispatcher” base directory.

Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39 allows attacker to access some file as Samsung Notes permission.

Directory traversal vulnerability in application/templates/amelia/loadjs.php in Free Reprintables ArticleFR 3.0.7 and earlier allows local users to read arbitrary files via the s parameter.