Path traversal vulnerability in the Medialibrary module Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py
An issue was discovered in PRiSE adAS 1.7.0. The path is not properly escaped in the medatadata_del method, leading to an arbitrary file read and deletion via Directory Traversal.
Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is running on the same machine as the "lektor server" command.
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection name (such as a collection name that depends on request or user data). Sites that only use fixed calls to the `collection()` helper/`$kirby->collection()` method (i.e. calls with a simple string for the collection name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the collections root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic collection names, such as `collection('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, the maintainers of Kirby have added a check for the collection path that ensures that the resulting path is contained within the configured collections root. Collection paths that point outside of the collections root will not be loaded.
Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (such as a snippet name that depends on request or user data). Sites that only use fixed calls to the `snippet()` helper/`$kirby->snippet()` method (i.e. calls with a simple string for the snippet name) are *not* affected. A missing path traversal check allowed attackers to navigate and access all files on the server that were accessible to the PHP process, including files outside of the snippets root or even outside of the Kirby installation. PHP code within such files was executed. Such attacks first require an attack vector in the site code that is caused by dynamic snippet names, such as `snippet('tags-' . get('tags'))`. It generally also requires knowledge of the site structure and the server's file system by the attacker, although it can be possible to find vulnerable setups through automated methods such as fuzzing. In a vulnerable setup, this could cause damage to the confidentiality and integrity of the server. The problem has been patched in Kirby 3.9.8.3, Kirby 3.10.1.2, and Kirby 4.7.1. In all of the mentioned releases, Kirby maintainers have added a check for the snippet path that ensures that the resulting path is contained within the configured snippets root. Snippet paths that point outside of the snippets root will not be loaded.
Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to arbitrary file removal in core.py. `output_tts_path` in tts.py takes arbitrary user input and passes it to `run_tts_script` function in core.py, which checks if the path in `output_tts_path` exists, and if yes, removes that path, which leads to arbitrary file removal. As of time of publication, no known patches are available.
An issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS 6.0.0 allows attackers to execute a directory traversal.
An Information Disclosure / Data Modification issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. A URL can be constructed which allows overriding the PDF file's path leading to any PDF whose path is known and which is readable to the web server can be downloaded. The file will be deleted after download if the web server has permission to do so. For PHP versions before 5.3, any file can be read by null terminating the string left of the file extension.
Studio 42 elFinder before 2.1.37 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process. NOTE: this issue exists because of an incomplete fix for CVE-2018-9109.
Studio 42 elFinder before 2.1.36 has a directory traversal vulnerability in elFinder.class.php with the zipdl() function that can allow a remote attacker to download files accessible by the web server process and delete files owned by the account running the web server process.
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
Path traversal vulnerability in Samsung Members prior to version 5.0.00.11 allows attackers to read and write arbitrary file with the privilege of Samsung Members.
A directory traversal vulnerability in the apoc plugins in Neo4J Graph database before 4.4.0.1 allows attackers to read local files, and sometimes create local files. This is fixed in 3.5.17, 4.2.10, 4.3.0.4, and 4.4.0.1.
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file. This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade. Distributed and Cassandra based products are also not impacted.
Dell VNX2 for File version 8.1.21.266 and earlier, contain a path traversal vulnerability which may lead unauthenticated users to read/write restricted files
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.
SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files include server configuration files containing various secrets and hashed user passwords.
keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_netaction.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissions.
A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 v3.90. The component affected by this issue is /upload_sysconfig.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissions.
An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.
IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view or write to arbitrary files on the system. IBM X-Force ID: 228579.
extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.