Vulnerabilities > Improper Link Resolution Before File Access ('Link Following')

DATE CVE VULNERABILITY TITLE RISK
2021-02-18 CVE-2020-12878 Link Following vulnerability in Digi Connectport X2E
Digi ConnectPort X2e before 3.2.30.6 allows an attacker to escalate privileges from the python user to root via a symlink attack that uses chown, related to /etc/init.d/S50dropbear.sh and the /WEB/python/.ssh directory.
local
low complexity
digi CWE-59
7.2
2021-02-17 CVE-2021-26720 Link Following vulnerability in multiple products
avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon.
local
low complexity
avahi debian CWE-59
4.6
2021-02-16 CVE-2021-27229 Link Following vulnerability in multiple products
Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.
network
mumble debian CWE-59
6.8
2021-02-05 CVE-2020-36241 Link Following vulnerability in Gnome Gnome-Autoar
autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.
local
low complexity
gnome CWE-59
2.1
2021-01-28 CVE-2020-8585 Link Following vulnerability in Netapp Oncommand Unified Manager
OnCommand Unified Manager Core Package versions prior to 5.2.5 may disclose sensitive account information to unauthorized users via the use of PuTTY Link (plink).
local
low complexity
netapp CWE-59
2.1
2021-01-21 CVE-2020-4966 Link Following vulnerability in IBM Security Identity Governance and Intelligence 5.2.6
IBM Security Identity Governance and Intelligence 5.2.6 does not set the secure attribute on authorization tokens or session cookies.
network
ibm CWE-59
4.3
2021-01-13 CVE-2021-1145 Link Following vulnerability in Cisco Staros
A vulnerability in the Secure FTP (SFTP) of Cisco StarOS for Cisco ASR 5000 Series Routers could allow an authenticated, remote attacker to read arbitrary files on an affected device.
network
low complexity
cisco CWE-59
4.0
2021-01-13 CVE-2021-21602 Link Following vulnerability in Jenkins
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows reading arbitrary files using the file browser for workspaces and archived artifacts by following symlinks.
network
low complexity
jenkins CWE-59
4.0
2021-01-12 CVE-2021-23240 Link Following vulnerability in multiple products
selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a local unprivileged user to gain file ownership and escalate privileges by replacing a temporary file with a symlink to an arbitrary file target.
4.4
2021-01-12 CVE-2021-23239 Link Following vulnerability in multiple products
The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.
1.9