Vulnerabilities > Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-24 | CVE-2024-49760 | Path Traversal vulnerability in Openrefine OpenRefine is a free, open source tool for working with messy data. | 5.3 |
| 2024-10-24 | CVE-2024-47883 | Path Traversal vulnerability in Openrefine Butterfly The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. | 9.1 |
| 2024-10-24 | CVE-2024-48931 | Path Traversal vulnerability in Zimaspace Zimaos ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. | 7.5 |
| 2024-10-23 | CVE-2024-48213 | Path Traversal vulnerability in Rockoa Xinhu 2.6.5 RockOA v2.6.5 is vulnerable to Directory Traversal in webmain/system/beifen/beifenAction.php. | 4.3 |
| 2024-10-23 | CVE-2024-20379 | Path Traversal vulnerability in Cisco products A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. | 6.5 |
| 2024-10-22 | CVE-2024-35308 | Path Traversal vulnerability in Pandorafms Pandora FMS 742/746 A post-authentication arbitrary file read vulnerability within the server plugins section in plugin edition feature. This issue affects Pandora FMS: from 700 through <777.3. | 8.8 |
| 2024-10-21 | CVE-2024-41713 | Path Traversal vulnerability in Mitel Micollab A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. | 9.1 |
| 2024-10-21 | CVE-2024-49366 | Path Traversal vulnerability in Nginxui Nginx UI Nginx UI is a web user interface for the Nginx web server. | 7.5 |
| 2024-10-21 | CVE-2024-45309 | Path Traversal vulnerability in Onedev Project Onedev OneDev is a Git server with CI/CD, kanban, and packages. | 7.5 |
| 2024-10-21 | CVE-2024-47742 | Path Traversal vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". | 7.8 |