Total
271 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-32008 | 1 Secomea | 1 Gatemanager | 2022-03-12 | 8.7 High |
| This issue affects: Secomea GateManager Version 9.6.621421014 and all prior versions. Improper Limitation of a Pathname to restricted directory, allows logged in GateManager admin to delete system Files or Directories. | ||||
| CVE-2022-23377 | 1 Keep | 1 Archeevo | 2022-03-08 | 7.5 High |
| Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files. | ||||
| CVE-2022-25104 | 1 Horizontcms Project | 1 Horizontcms | 2022-03-03 | 7.5 High |
| HorizontCMS v1.0.0-beta.2 was discovered to contain an arbitrary file download vulnerability via the component /admin/file-manager/. | ||||
| CVE-2022-25297 | 1 Drogon | 1 Drogon | 2022-02-28 | 8.8 High |
| This affects the package drogonframework/drogon before 1.7.5. The unsafe handling of file names during upload using HttpFile::save() method may enable attackers to write files to arbitrary locations outside the designated target folder. | ||||
| CVE-2022-25299 | 1 Cesanta | 1 Mongoose | 2022-02-28 | 7.5 High |
| This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder. | ||||
| CVE-2022-24694 | 1 Mahara | 1 Mahara | 2022-02-11 | 4.3 Medium |
| In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before 21.10.1, the names of folders in the Files area can be seen by a person not owning the folders. (Only folder names are affected. Neither file names nor file contents are affected.) | ||||
| CVE-2021-25004 | 1 Seur Oficial Project | 1 Seur Oficial | 2022-02-11 | 4.9 Medium |
| The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page. | ||||
| CVE-2021-44983 | 1 Taogogo | 1 Taocms | 2022-02-08 | 4.9 Medium |
| In taocms 3.0.1 after logging in to the background, there is an Arbitrary file download vulnerability at the File Management column. | ||||
| CVE-2022-23316 | 1 Taogogo | 1 Taocms | 2022-02-08 | 4.9 Medium |
| An issue was discovered in taoCMS v3.0.2. There is an arbitrary file read vulnerability that can read any files via admin.php?action=file&ctrl=download&path=../../1.txt. | ||||
| CVE-2022-0244 | 1 Gitlab | 1 Gitlab | 2022-01-28 | 7.5 High |
| An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group was due to incorrect handling of file. | ||||
| CVE-2022-22269 | 1 Google | 1 Android | 2022-01-15 | 3.3 Low |
| Keeping sensitive data in unprotected BluetoothSettingsProvider prior to SMR Jan-2022 Release 1 allows untrusted applications to get a local Bluetooth MAC address. | ||||
| CVE-2022-22268 | 1 Google | 1 Android | 2022-01-14 | 6.1 Medium |
| Incorrect implementation of Knox Guard prior to SMR Jan-2022 Release 1 allows physically proximate attackers to temporary unlock the Knox Guard via Samsung DeX mode. | ||||
| CVE-2022-22270 | 1 Google | 1 Android | 2022-01-14 | 3.3 Low |
| An implicit Intent hijacking vulnerability in Dialer prior to SMR Jan-2022 Release 1 allows unprivileged applications to access contact information. | ||||
| CVE-2022-22267 | 1 Google | 1 Android | 2022-01-14 | 3.3 Low |
| Implicit Intent hijacking vulnerability in ActivityMetricsLogger prior to SMR Jan-2022 Release 1 allows attackers to get running application information. | ||||
| CVE-2021-43821 | 1 Apereo | 1 Opencast | 2021-12-20 | 7.7 High |
| Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. Before Opencast 9.10 and 10.6, Opencast would open and include local files during ingests. Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine. An attacker would need to have the privileges required to add new media to exploit this. But these are often widely given. The issue has been fixed in Opencast 10.6 and 11.0. You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating. | ||||
| CVE-2021-39316 | 1 Digitalzoomstudio | 1 Zoomsounds | 2021-12-14 | 7.5 High |
| The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter. | ||||
| CVE-2021-25521 | 1 Samsung | 1 Internet | 2021-12-13 | 3.3 Low |
| Insecure caller check in sharevia deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to get current tab URL in Samsung Internet. | ||||
| CVE-2021-43772 | 2 Microsoft, Trendmicro | 5 Windows, Antivirus\+ Security, Internet Security and 2 more | 2021-12-06 | 5.5 Medium |
| Trend Micro Security 2021 v17.0 (Consumer) contains a vulnerability that allows files inside the protected folder to be modified without any detection. | ||||
| CVE-2021-25741 | 1 Kubernetes | 1 Kubernetes | 2021-11-30 | 8.1 High |
| A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. | ||||
| CVE-2020-15224 | 1 Openenclave | 1 Openenclave | 2021-11-18 | 6.8 Medium |
| In Open Enclave before version 0.12.0, an information disclosure vulnerability exists when an enclave application using the syscalls provided by the sockets.edl is loaded by a malicious host application. An attacker who successfully exploited the vulnerability could read privileged data from the enclave heap across trust boundaries. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information otherwise considered confidential in an enclave, which could be used in further compromises. The issue has been addressed in version 0.12.0 and the current master branch. Users will need to to recompile their applications against the patched libraries to be protected from this vulnerability. | ||||