Total
7648 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-17313 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user. | ||||
| CVE-2019-17312 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user. | ||||
| CVE-2019-17311 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user. | ||||
| CVE-2019-17224 | 1 Compal | 2 Ch7465lg, Ch7465lg Firmware | 2024-11-21 | 5.3 Medium |
| The web interface of the Compal Broadband CH7465LG modem (version CH7465LG-NCIP-6.12.18.25-2p6-NOSH) is vulnerable to a /%2f/ path traversal attack, which can be exploited in order to test for the existence of a file pathname outside of the web root directory. If a file exists but is not part of the product, there is a 404 error. If a file does not exist, there is a 302 redirect to index.html. | ||||
| CVE-2019-17199 | 2 Microsoft, Webpagetest | 2 Windows, Webpagetest | 2024-11-21 | 7.5 High |
| www/getfile.php in WPO WebPageTest 19.04 on Windows allows Directory Traversal (for reading arbitrary files) because of an unanchored regular expression, as demonstrated by the a.jpg\.. substring. | ||||
| CVE-2019-17187 | 1 Fiberhome | 2 Hg2201t, Hg2201t Firmware | 2024-11-21 | 7.5 High |
| /var/WEB-GUI/cgi-bin/downloadfile.cgi on FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication Directory Traversal for reading arbitrary files. | ||||
| CVE-2019-17180 | 2 Microsoft, Valvesoftware | 2 Windows, Steam Client | 2024-11-21 | 7.8 High |
| Valve Steam Client before 2019-09-12 allows placing or appending partially controlled filesystem content, as demonstrated by file modifications on Windows in the context of NT AUTHORITY\SYSTEM. This could lead to denial of service, elevation of privilege, or unspecified other impact. | ||||
| CVE-2019-17175 | 1 Joyplus-cms Project | 1 Joyplus-cms | 2024-11-21 | 7.5 High |
| joyplus-cms 1.6.0 allows manager/admin_pic.php?rootpath= absolute path traversal. | ||||
| CVE-2019-17109 | 1 Koji Project | 1 Koji | 2024-11-21 | 6.5 Medium |
| Koji through 1.18.0 allows remote Directory Traversal, with resultant Privilege Escalation. | ||||
| CVE-2019-17073 | 1 Emlog | 1 Emlog | 2024-11-21 | 6.5 Medium |
| emlog through 6.0.0beta allows remote authenticated users to delete arbitrary files via admin/template.php?action=del&tpl=../ directory traversal. | ||||
| CVE-2019-16990 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 6.5 Medium |
| In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it. | ||||
| CVE-2019-16986 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 6.5 Medium |
| In FusionPBX up to v4.5.7, the file resources\download.php uses an unsanitized "f" variable coming from the URL, which takes any pathname and allows a download of it. (resources\secure_download.php is also affected.) | ||||
| CVE-2019-16985 | 1 Fusionpbx | 1 Fusionpbx | 2024-11-21 | 6.5 Medium |
| In FusionPBX up to v4.5.7, the file app\xml_cdr\xml_cdr_delete.php uses an unsanitized "rec" variable coming from the URL, which is base64 decoded and allows deletion of any file of the system. | ||||
| CVE-2019-16915 | 1 Netgate | 1 Pfsense | 2024-11-21 | 9.8 Critical |
| An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/picture.widget.php uses the widgetkey parameter directly without sanitization (e.g., a basename call) for a pathname to file_get_contents or file_put_contents. | ||||
| CVE-2019-16903 | 1 Plutinosoft | 1 Platinum | 2024-11-21 | 5.3 Medium |
| Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /.. where it should be checking for ../ instead. | ||||
| CVE-2019-16902 | 1 Reputeinfosystems | 1 Arforms | 2024-11-21 | 7.5 High |
| In the ARforms plugin 3.7.1 for WordPress, arf_delete_file in arformcontroller.php allows unauthenticated deletion of an arbitrary file by supplying the full pathname. | ||||
| CVE-2019-16876 | 1 Portainer | 1 Portainer | 2024-11-21 | 7.5 High |
| Portainer before 1.22.1 allows Directory Traversal. | ||||
| CVE-2019-16868 | 1 Emlog | 1 Emlog | 2024-11-21 | 9.8 Critical |
| emlog through 6.0.0beta has an arbitrary file deletion vulnerability via an admin/data.php?action=dell_all_bak request with directory traversal sequences in the bak[] parameter. | ||||
| CVE-2019-16867 | 1 Hongcms Project | 1 Hongcms | 2024-11-21 | 6.5 Medium |
| HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. (If the attacker deletes config.php and visits install/index.php, they can reinstall the product.) | ||||
| CVE-2019-16777 | 5 Fedoraproject, Npmjs, Opensuse and 2 more | 8 Fedora, Npm, Leap and 5 more | 2024-11-21 | 7.7 High |
| Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary. This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option. | ||||