Vulnerabilities (CVE)

Filtered by CWE-22
Total 4639 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-39261 2 Drupal, Symfony 2 Drupal, Twig 2022-09-30 N/A 7.5 HIGH
Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.
CVE-2022-23357 1 Mozilo 1 Mozilocms 2022-09-30 6.4 MEDIUM 9.1 CRITICAL
mozilo2.0 was discovered to be vulnerable to directory traversal attacks via the parameter curent_dir.
CVE-2022-28814 1 Gavazziautomation 3 Cpy Car Park Server, Uwp 3.0 Monitoring Gateway And Controller, Uwp 3.0 Monitoring Gateway And Controller Firmware 2022-09-30 N/A 9.8 CRITICAL
Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 was discovered to be vulnerable to a relative path traversal vulnerability which enables remote attackers to read arbitrary files and gain full control of the device.
CVE-2022-40082 2 Cloudwego, Microsoft 2 Hertz, Windows 2022-09-29 N/A 7.5 HIGH
Hertz v0.3.0 ws discovered to contain a path traversal vulnerability via the normalizePath function.
CVE-2020-7246 1 Qdpm 1 Qdpm 2022-09-29 6.5 MEDIUM 8.8 HIGH
A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.
CVE-2022-32190 2 Fedoraproject, Golang 2 Fedora, Go 2022-09-29 N/A 9.8 CRITICAL
JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.
CVE-2021-46830 1 Helpsystems 1 Goanywhere Managed File Transfer 2022-09-29 N/A 6.5 MEDIUM
A path traversal vulnerability exists within GoAnywhere MFT before 6.8.3 that utilize self-registration for the GoAnywhere Web Client. This vulnerability could potentially allow an external user who self-registers with a specific username and/or profile information to gain access to files at a higher directory level than intended.
CVE-2022-40199 1 Ec-cube 1 Ec-cube 2022-09-29 N/A 2.7 LOW
Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.
CVE-2022-39033 1 Lcnet 1 Smart Evision 2022-09-28 N/A 9.8 CRITICAL
Smart eVision’s file acquisition function has a path traversal vulnerability due to insufficient filtering for special characters in the URL parameter. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication, access restricted paths to download and delete arbitrary system files to disrupt service.
CVE-2022-39034 1 Lcnet 1 Smart Evision 2022-09-28 N/A 6.5 MEDIUM
Smart eVision has a path traversal vulnerability in the Report API function due to insufficient filtering for special characters in URLs. A remote attacker with general user privilege can exploit this vulnerability to bypass authentication, access restricted paths and download system files.
CVE-2022-26276 1 Onenav 1 Onenav 2022-09-28 5.0 MEDIUM 5.3 MEDIUM
An issue in index.php of OneNav v0.9.14 allows attackers to perform directory traversal.
CVE-2022-2926 1 Adobe 1 Download Manager 2022-09-28 N/A 4.9 MEDIUM
The Download Manager WordPress plugin before 3.2.55 does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory
CVE-2021-41002 1 Hpe 15 Aruba 8320, Aruba 8325-32-c, Aruba 8325-48y8c and 12 more 2022-09-27 8.5 HIGH 8.1 HIGH
Multiple authenticated remote path traversal vulnerabilities were discovered in the AOS-CX command line interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.06.xxxx: 10.06.0170 and below, AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below, AOS-CX 10.09.xxxx: 10.09.0002 and below. Aruba has released upgrades for Aruba AOS-CX devices that address these security vulnerabilities.
CVE-2020-8227 2 Linux, Nextcloud 2 Linux Kernel, Desktop 2022-09-27 7.1 HIGH 6.8 MEDIUM
Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory.
CVE-2022-34026 1 Icecoder 1 Icecoder 2022-09-24 N/A 7.5 HIGH
ICEcoder v8.1 allows attackers to execute a directory traversal.
CVE-2022-40444 1 Zzcms 1 Zzcms 2022-09-23 N/A 5.3 MEDIUM
ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server.
CVE-2022-40443 1 Zzcms 1 Zzcms 2022-09-23 N/A 5.3 MEDIUM
An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php.
CVE-2022-38340 1 Safe 1 Fme Server 2022-09-23 N/A 7.2 HIGH
Safe Software FME Server v2021.2.5, v2022.0.0.2 and below was discovered to contain a Path Traversal vulnerability via the component fmedataupload.
CVE-2022-39221 2 Mcwebserver Minecraft Mod For Fabric And Quilt Project, Mcwebserver Minecraft Mod For Forge Project 2 Mcwebserver Minecraft Mod For Fabric And Quilt, Mcwebserver Minecraft Mod For Forge 2022-09-23 N/A 7.5 HIGH
McWebserver mod runs a simple HTTP server alongside the Minecraft server in seperate threads. Path traversal in McWebserver Minecraft Mod for Fabric and Quilt up to and including 0.1.2.1 and McWebserver Minecraft Mod for Forge up to and including 0.1.1 allows all files, accessible by the program, to be read by anyone via HTTP request. Version 0.2.0 with patches are released to both platforms (Fabric and Quilt, Forge). As a workaround, the McWebserver mod can be disabled by removing the file from the `mods` directory.
CVE-2022-28981 1 Liferay 1 Liferay Portal 2022-09-23 N/A 7.5 HIGH
Path traversal vulnerability in the Hypermedia REST APIs module in Liferay Portal 7.4.0 through 7.4.2 allows remote attackers to access files outside of com.liferay.headless.discovery.web/META-INF/resources via the `parameter` parameter.