Total
8107 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24320 | 1 Mgt-commerce | 1 Cloudpanel | 2024-11-21 | N/A | 8.8 HIGH |
| Directory Traversal vulnerability in Mgt-commerce CloudPanel v.2.0.0 thru v.2.4.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the service parameter of the load-logfiles function. | |||||
| CVE-2024-24122 | 1 Wondershare | 1 Edraw | 2024-11-21 | N/A | 3.3 LOW |
| A remote code execution vulnerability in the project management of Wanxing Technology's Yitu project which allows an attacker to use the exp.adpx file as a zip compressed file to construct a special file name, which can be used to decompress the project file into the system startup folder, restart the system, and automatically execute the constructed attack script. | |||||
| CVE-2024-24043 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
| Directory Traversal vulnerability in Speedy11CZ MCRPX v.1.4.0 and before allows a local attacker to execute arbitrary code via a crafted file. | |||||
| CVE-2024-24042 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Directory Traversal vulnerability in Devan-Kerman ARRP v.0.8.1 and before allows a remote attacker to execute arbitrary code via the dumpDirect in RuntimeResourcePackImpl component. | |||||
| CVE-2024-23946 | 1 Apache | 1 Ofbiz | 2024-11-21 | N/A | 5.3 MEDIUM |
| Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | |||||
| CVE-2024-23833 | 1 Openrefine | 1 Openrefine | 2024-11-21 | N/A | 7.5 HIGH |
| OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-23827 | 1 Nginxui | 1 Nginx Ui | 2024-11-21 | N/A | 9.8 CRITICAL |
| Nginx-UI is a web interface to manage Nginx configurations. The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. It's possible to leverage the vulnerability into a remote code execution overwriting the config file app.ini. Version 2.0.0.beta.12 fixed the issue. | |||||
| CVE-2024-23822 | 1 Thruk | 1 Thruk | 2024-11-21 | N/A | 5.4 MEDIUM |
| Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue. | |||||
| CVE-2024-23793 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts. This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | |||||
| CVE-2024-23774 | 2024-11-21 | N/A | 7.8 HIGH | ||
| An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An unquoted Windows search path vulnerability exists in the KSchedulerSvc.exe and AMPTools.exe components. This allows local attackers to execute code of their choice with NT Authority\SYSTEM privileges. | |||||
| CVE-2024-23773 | 2024-11-21 | N/A | 7.8 HIGH | ||
| An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An Arbitrary file delete vulnerability exists in the KSchedulerSvc.exe component. Local attackers can delete any file of their choice with NT Authority\SYSTEM privileges. | |||||
| CVE-2024-23772 | 2024-11-21 | N/A | 6.6 MEDIUM | ||
| An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An Arbitrary file create vulnerability exists in the KSchedulerSvc.exe, KUserAlert.exe, and Runkbot.exe components. This allows local attackers to create any file of their choice with NT Authority\SYSTEM privileges. | |||||
| CVE-2024-23652 | 1 Mobyproject | 1 Buildkit | 2024-11-21 | N/A | 10.0 CRITICAL |
| BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature. | |||||
| CVE-2024-23540 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| The HCL BigFix Inventory server is vulnerable to path traversal which enables an attacker to read internal application files from the Inventory server. The BigFix Inventory server does not properly restrict the served static file. | |||||
| CVE-2024-23479 | 1 Solarwinds | 1 Access Rights Manager | 2024-11-21 | N/A | 9.6 CRITICAL |
| SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution. | |||||
| CVE-2024-23477 | 1 Solarwinds | 1 Access Rights Manager | 2024-11-21 | N/A | 7.9 HIGH |
| The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution. | |||||
| CVE-2024-23476 | 1 Solarwinds | 1 Access Rights Manager | 2024-11-21 | N/A | 9.6 CRITICAL |
| The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution. | |||||
| CVE-2024-23340 | 1 Hono | 1 Node-server | 2024-11-21 | N/A | 5.3 MEDIUM |
| @hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called "double dots", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`. | |||||
| CVE-2024-22779 | 1 Kihron | 1 Serverrpexposer | 2024-11-21 | N/A | 8.8 HIGH |
| Directory Traversal vulnerability in Kihron ServerRPExposer v.1.0.2 and before allows a remote attacker to execute arbitrary code via the loadServerPack in ServerResourcePackProviderMixin.java. | |||||
| CVE-2024-22514 | 1 Ispyconnect | 1 Agent Dvr | 2024-11-21 | N/A | 8.8 HIGH |
| An issue discovered in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to run arbitrary files by restoring a crafted backup file. | |||||