Total
44 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-20234 | 1 Cisco | 43 Firepower 1000, Firepower 1010, Firepower 1020 and 40 more | 2024-01-25 | N/A | 6.0 MEDIUM |
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to create a file or overwrite any file on the filesystem of an affected device, including system files. The vulnerability occurs because there is no validation of parameters when a specific CLI command is used. An attacker could exploit this vulnerability by authenticating to an affected device and using the command at the CLI. A successful exploit could allow the attacker to overwrite any file on the disk of the affected device, including system files. The attacker must have valid administrative credentials on the affected device to exploit this vulnerability. | |||||
CVE-2023-20114 | 1 Cisco | 1 Firepower Management Center | 2024-01-25 | N/A | 6.5 MEDIUM |
A vulnerability in the file download feature of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to download arbitrary files from an affected system. This vulnerability is due to a lack of input sanitation. An attacker could exploit this vulnerability by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from the affected system. | |||||
CVE-2023-49862 | 1 Wwbn | 1 Avideo | 2024-01-18 | N/A | 6.5 MEDIUM |
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_gifimage` parameter. | |||||
CVE-2023-49863 | 1 Wwbn | 1 Avideo | 2024-01-18 | N/A | 6.5 MEDIUM |
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_webpimage` parameter. | |||||
CVE-2023-47171 | 1 Wwbn | 1 Avideo | 2024-01-17 | N/A | 6.5 MEDIUM |
An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read. | |||||
CVE-2023-47862 | 1 Wwbn | 1 Avideo | 2024-01-17 | N/A | 9.8 CRITICAL |
A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send a series of HTTP requests to trigger this vulnerability. | |||||
CVE-2023-49738 | 1 Wwbn | 1 Avideo | 2024-01-17 | N/A | 7.5 HIGH |
An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read. | |||||
CVE-2023-49864 | 1 Wwbn | 1 Avideo | 2024-01-16 | N/A | 6.5 MEDIUM |
An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_image` parameter. | |||||
CVE-2023-6569 | 1 H2o | 1 H2o | 2023-12-18 | N/A | 8.2 HIGH |
External Control of File Name or Path in h2oai/h2o-3 | |||||
CVE-2023-2554 | 1 Bumsys Project | 1 Bumsys | 2023-12-10 | N/A | 7.2 HIGH |
External Control of File Name or Path in GitHub repository unilogies/bumsys prior to 2.2.0. | |||||
CVE-2023-1105 | 1 Flatpress | 1 Flatpress | 2023-12-10 | N/A | 8.1 HIGH |
External Control of File Name or Path in GitHub repository flatpressblog/flatpress prior to 1.3. | |||||
CVE-2023-1070 | 1 Teampass | 1 Teampass | 2023-12-10 | N/A | 7.1 HIGH |
External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22. | |||||
CVE-2022-2400 | 1 Dompdf Project | 1 Dompdf | 2023-12-10 | N/A | 5.3 MEDIUM |
External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0. | |||||
CVE-2022-0593 | 1 Idehweb | 1 Login With Phone Number | 2023-12-10 | 6.4 MEDIUM | 6.5 MEDIUM |
The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation. | |||||
CVE-2022-0246 | 1 Webence | 1 Iq Block Country | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
The settings of the iQ Block Country WordPress plugin before 1.2.13 can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to "Zip Slip" vulnerability. | |||||
CVE-2021-24966 | 1 Bestwebsoft | 1 Error Log Viewer | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
The Error Log Viewer WordPress plugin through 1.1.1 does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder | |||||
CVE-2021-3845 | 1 Ws Scrcpy Project | 1 Ws Scrcpy | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
ws-scrcpy is vulnerable to External Control of File Name or Path | |||||
CVE-2021-38477 | 1 Auvesy | 1 Versiondog | 2023-12-10 | 6.4 MEDIUM | 9.8 CRITICAL |
There are multiple API function codes that permit reading and writing data to or from files and directories, which could lead to the manipulation and/or the deletion of files. | |||||
CVE-2021-27250 | 1 Dlink | 2 Dap-2020, Dap-2020 Firmware | 2023-12-10 | 3.3 LOW | 6.5 MEDIUM |
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of CGI scripts. When parsing the errorpage request parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-11856. | |||||
CVE-2021-21343 | 4 Debian, Fedoraproject, Oracle and 1 more | 12 Debian Linux, Fedora, Banking Enterprise Default Management and 9 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. |