ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files disclosure. Using the specific POST parameter, unauthenticated attackers can remotely disclose arbitrary files on the affected device and disclose sensitive and system information.
dgard8.lab6 is a static file server. dgard8.lab6 is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1. An app may be able to read arbitrary files.
Directory traversal vulnerability in iChain Insurance Wallet App for iOS Version 1.3.0 and earlier allows remote attackers to read arbitrary files via unspecified vectors.
Directory traversal vulnerability in SavySoda WiFi HD Free before 7.0 allows remote attackers to read arbitrary files via a ..%2f (encoded dot dot slash) in a GET request.
fbr-client sends files through sockets via socket.io and webRTC. fbr-client is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Streaming Engine before 4.7.1, traversal of the directory structure and retrieval of a file are possible via a remote, specifically crafted HTTP request.
yzt is a simple file server. yzt is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
A path traversal vulnerability in localhost-now npm package version 1.0.2 allows the attackers to read content of arbitrary files on the remote server.
nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
A Directory Traversal vulnerability exists in WeBankPartners wecube-platform 3.2.1 via the file variable in PluginPackageController.java.
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.
The SecureSphere Operations Manager (SOM) Management Server in Imperva SecureSphere 9.0.0.5 allows remote attackers to obtain sensitive information via (1) a direct request to dwr/call/plaincall/AsyncOperationsContainer.getOperationState.dwr, which reveals the installation path in the s0.filePath field, or (2) a T/keyManagement request to plain/settings.html, which reveals a temporary path in an error message.
sgqserve is a simple file server. sgqserve is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a 404 on etc/passwd/index.js.
A path traversal vulnerability in <= v0.2.6 of http-file-server npm module allows attackers to list files in arbitrary folders.
ServerAdmin/TestDRConnection.jsp in DS3 Authentication Server allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in a -REG-E-OPEN error message.
A path traversal vulnerability in serve npm package version 7.0.1 allows the attackers to read content of arbitrary files on the remote server.
An log-management directory traversal issue was discovered in OverIT Geocall 6.3 before build 2:346977.
Avigilon – CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Aspen before 0.22 allows remote attackers to read arbitrary files via a .. (dot dot) to the default URI.
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the file_name parameter of the Step3 import functionality.
Directory traversal vulnerability in IBM InfoSphere Data Replication Dashboard 9.7 and 10.1 allows remote attackers to read arbitrary files via unspecified vectors. IBM X-Force ID: 84127.
Absolute path traversal vulnerability in the web interface in Cisco Finesse allows remote attackers to read directory contents via a direct request to a directory URL, aka Bug ID CSCug16772.
The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.
Directory traversal vulnerability in app/webroot/js/vendors.php in Cake Software Foundation CakePHP before 1.1.8.3544 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, followed by a filename ending with "%00" and a .js filename.
Directory traversal vulnerability in LOCKON EC-CUBE 2.12.0 through 2.12.4 allows remote attackers to read arbitrary image files via vectors related to data/class/SC_CheckError.php and data/class/SC_FormParam.php, a different vulnerability than CVE-2013-3650.
A remote, unauthenticated, directory traversal vulnerability was identified within the web interface used by IND780 Advanced Weighing Terminals Build 8.0.07 March 19, 2018 (SS Label 'IND780_8.0.07'), Version 7.2.10 June 18, 2012 (SS Label 'IND780_7.2.10'). It was possible to traverse the folders of the affected host by providing a traversal path to the 'webpage' parameter in AutoCE.ini This could allow a remote unauthenticated adversary to access additional files on the affected system. This could also allow the adversary to perform further enumeration against the affected host to identify the versions of the systems in use, in order to launch further attacks in future.
Path traversal vulnerability in version up to v1.1.3 in serve-here.js npm module allows attackers to list any file in arbitrary folder.
Directory traversal vulnerability in the Loftek Nexus 543 IP Camera allows remote attackers to read arbitrary files via a .. (dot dot) in the URL of an HTTP GET request.
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.
get2post.php in IDERA Uptime Monitor 7.8 has directory traversal in the file_name parameter.
A vulnerability in Mambo CMS v4.6.5 where the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver.
tar/TarFileReader.cpp in Cauldron cbang (aka C-Bang or C!) before 1.6.0 allows Directory Traversal during extraction from a TAR archive.
IBM API Connect 5.0.0.0 through 5.0.8.6 developer portal could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 163681.
Payara Micro Community 5.2021.6 and below allows Directory Traversal.
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
Directory traversal vulnerability in the lfCheckFileName function in data/class/pages/LC_Page_ResizeImage.php in LOCKON EC-CUBE before 2.12.5 allows remote attackers to read arbitrary image files via vectors involving the image parameter to resize_image.php, a different vulnerability than CVE-2013-3654.
yttivy is a static file server. yttivy is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.
Directory traversal vulnerability in the Web Console in IBM Data Studio 3.1.0 and 3.1.1 allows remote attackers to read arbitrary files via unspecified vectors.
Insecure handling of a download function leads to disclosure of internal files due to path traversal with root privileges in Franklin Fueling Systems Colibri Controller Module 1.8.19.8580.
SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary files via the importFile parameter of the RefreshMapping import functionality.
Directory traversal vulnerability in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.
mfrs is a static file server. mfrs is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
jansenstuffpleasework is a file server. jansenstuffpleasework is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
lessindex is a static file server. lessindex is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
uv-tj-demo is a static file server. uv-tj-demo is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url.
`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. This is compounded by `f2e-server` requiring elevated privileges to run.
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.