A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server
Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0. This issue affects M-Files New Web: before 22.11.12011.0.
Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting paths inside REST API endpoint parameters.
IBM Security Verify Governance, Identity Manager 10.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 257772.
SonicJS up to v0.7.0 allows attackers to execute an authenticated path traversal when an attacker injects special characters into the filename of a backup CMS.
A vulnerability was detected in Kilo-Org kilocode up to 7.0.47. This vulnerability affects the function Bun.file of the file packages/opencode/src/kilocode/review/worktree-diff.ts of the component File Diff API Endpoint. Performing a manipulation of the argument File results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Path Traversal vulnerability in SonicWall GMS and Analytics allows a remote authenticated attacker to read arbitrary files from the underlying file system via web service. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. Version 11.0.0 fixes the issue.
Path Traversal vulnerability in GMS and Analytics allows an authenticated attacker to read arbitrary files from the underlying filesystem with root privileges. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
An issue has been discovered in GitLab affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in `tar`, fixed in [`tar-1.35`](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00005.html).
AgilePoint NX v8.0 SU2.2 & SU2.3 - Path traversal - Vulnerability allows path traversal and downloading files from the server, by an unspecified request.
Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files.
Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system.
CLTPHP <=6.0 is vulnerable to Directory Traversal.
Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files.
S-CMS v5.0 was discovered to contain an arbitrary file read vulnerability.
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.
An executable used in Rockwell Automation ThinManager ThinServer can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.
The n8n package 0.218.0 for Node.js allows Directory Traversal.
pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files.
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
Absolute Path Traversal vulnerability in GetImage in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3 .
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.
Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle.
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise web interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files in Aruba EdgeConnect Enterprise Software version(s): ECOS 9.2.1.0 and below; ECOS 9.1.3.0 and below; ECOS 9.0.7.0 and below; ECOS 8.3.7.1 and below.
metersphere is an open source continuous testing platform. In versions prior to 2.7.1 a user who has permission to create a resource file through UI operations is able to append a path to their submission query which will be read by the system and displayed to the user. This allows a users of the system to read arbitrary files on the filesystem of the server so long as the server process itself has permission to read the requested files. This issue has been addressed in version 2.7.1. All users are advised to upgrade. There are no known workarounds for this issue.
A vulnerability was detected in Edimax BR-6208AC 1.02. This impacts the function handle_retr of the component FTP Daemon Service. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Edimax confirms this issue: "This product is no longer available in the market and has been discontinued for five years. Consequently, Edimax no longer provides technical support, firmware updates, or security patches for this specific model. However, to ensure the safety of our remaining active users, we acknowledge this report and will take the following mitigation actions: (A) We will issue an official security advisory on our support website. (B) We will strongly advise users to disable the FTP service on this device to mitigate the reported risk, by which the product will still work for common use. (C) We will recommend users upgrade to newer, supported models." This vulnerability only affects products that are no longer supported by the maintainer.
The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.
A relative path traversal vulnerability [CWE-23] in FortiWeb version 7.0.1 and below, 6.4 all versions, 6.3 all versions, 6.2 all versions may allow an authenticated user to obtain unauthorized access to files and data via specifically crafted web requests.
A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to view the contents of arbitrary files on an affected device. The vulnerability is due to improper input validation in the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retrieve the contents of arbitrary files on the device, possibly resulting in the disclosure of sensitive information.
The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php.
Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more files than allowed. This is fixed in version 0.2.0.
A directory traversal vulnerability exists in the luci2-io file-export mib functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.
A path traversal vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow authenticated users to read the contents of unexpected files and expose sensitive data via a network. We have already fixed the vulnerability in the following version: Music Station 5.3.22 and later
U-Office Force Download function has a path traversal vulnerability. A remote attacker with general user privilege can exploit this vulnerability to download arbitrary system file.
Synapsoft pdfocus 1.17 is vulnerable to local file inclusion and server-side request forgery Directory Traversal.
angular-http-server node module suffers from a Path Traversal vulnerability due to lack of validation of possibleFilename, which allows a malicious user to read content of any file with known path.
glance node module before 3.0.4 suffers from a Path Traversal vulnerability due to lack of validation of path passed to it, which allows a malicious user to read content of any file with known path.
node-srv node module suffers from a Path Traversal vulnerability due to lack of validation of url, which allows a malicious user to read content of any file with known path.
The Jobs for WordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.7.11 via the 'job_postings_get_file' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Attackers can send GET requests to modules/backup/actions.php with op=getfile and traverse directories using ../ sequences to access sensitive system files.
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows attackers with valid credentials to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd.
Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Attackers can send GET requests to navigate_download.php with path traversal payloads ../../../cfg/globals.php to access sensitive configuration files and system files outside the intended directory.
LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to arbitrary locations on the system, enabling remote code execution.
The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called e8bd4e17e9428260f2161378356affc5ce90d6ed. It is advisable to implement a patch to correct this issue.