| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-1000202 |
|
|
XSS |
2018-06-05 |
2018-06-05 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
2 |
CVE-2018-1000177 |
79 |
|
XSS |
2018-05-08 |
2018-06-13 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins S3 Plugin 0.10.12 and older in src/main/resources/hudson/plugins/s3/S3ArtifactsProjectAction/jobMain.jelly that allows attackers able to control file names of uploaded files to define file names containing JavaScript that would be executed in another user's browser when that user performs some UI actions. |
|
3 |
CVE-2018-1000175 |
22 |
|
Dir. Trav. |
2018-05-08 |
2018-06-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
A path traversal vulnerability exists in Jenkins HTML Publisher Plugin 1.15 and older in HtmlPublisherTarget.java that allows attackers able to configure the HTML Publisher build step to override arbitrary files on the Jenkins master. |
|
4 |
CVE-2018-1000172 |
79 |
|
XSS |
2018-04-30 |
2018-06-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Imagely NextGEN Gallery version 2.2.30 and earlier contains a Cross Site Scripting (XSS) vulnerability in Image Alt & Title Text. This attack appears to be exploitable via a victim viewing the image in the administrator page. This vulnerability appears to have been fixed in 2.2.45. |
|
5 |
CVE-2018-1000170 |
79 |
|
XSS |
2018-04-16 |
2018-05-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaScript that would be executed in another user's browser when that other user performs some UI actions. |
|
6 |
CVE-2018-1000163 |
79 |
|
XSS |
2018-04-18 |
2018-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Floodlight version 1.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in the web console that can result in javascript injections into the web page. This attack appears to be exploitable via the victim browsing the web console. |
|
7 |
CVE-2018-1000162 |
79 |
|
Exec Code XSS |
2018-04-18 |
2018-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in `setMarkupEscaped` for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML escaping by breaking AST boundaries. This vulnerability appears to have been fixed in 1.7.0 and later. |
|
8 |
CVE-2018-1000161 |
22 |
|
Dir. Trav. |
2018-04-18 |
2018-05-24 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
nmap version 6.49BETA6 through 7.60, up to and including SVN revision 37147 contains a Directory Traversal vulnerability in NSE script http-fetch that can result in file overwrite as the user is running it. This attack appears to be exploitable via a victim that runs NSE script http-fetch against a malicious web site. This vulnerability appears to have been fixed in 7.7. |
|
9 |
CVE-2018-1000160 |
79 |
|
XSS |
2018-04-18 |
2018-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
RisingStack protect version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in isXss() function in lib/rules/xss.js that can result in dangerous XSS strings being validated as safe. This attack appears to be exploitable via A number of XSS strings(26) detailed in the GitHub issue #16. |
|
10 |
CVE-2018-1000154 |
79 |
|
Exec Code XSS |
2018-04-05 |
2018-05-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper Neutralization of Script-Related HTML Tags in a Web Page (CWE-80) vulnerability in the subject of emails which are not html quoted in certain cases. This can result in the embedding and execution of java script code on users browser. This attack appear to be exploitable via the victim openning a ticket. This vulnerability appears to have been fixed in 2.3.1, 2.2.2 and 2.1.3. |
|
11 |
CVE-2018-1000153 |
352 |
|
DoS CSRF |
2018-04-05 |
2018-05-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
A cross-site request forgery vulnerability exists in Jenkins vSphere Plugin 2.16 and older in Clone.java, CloudSelectorParameter.java, ConvertToTemplate.java, ConvertToVm.java, Delete.java, DeleteSnapshot.java, Deploy.java, ExposeGuestInfo.java, FolderVSphereCloudProperty.java, PowerOff.java, PowerOn.java, Reconfigure.java, Rename.java, RenameSnapshot.java, RevertToSnapshot.java, SuspendVm.java, TakeSnapshot.java, VSphereBuildStepContainer.java, vSphereCloudProvisionedSlave.java, vSphereCloudSlave.java, vSphereCloudSlaveTemplate.java, VSphereConnectionConfig.java, vSphereStep.java that allows attackers to perform form validation related actions, including sending numerous requests to the configured vSphere server, potentially resulting in denial of service, or send credentials stored in Jenkins with known ID to an attacker-specified server ("test connection"). |
|
12 |
CVE-2018-1000144 |
79 |
|
XSS |
2018-04-05 |
2018-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross site scripting vulnerability exists in Jenkins Cucumber Living Documentation Plugin 1.0.12 and older in CukedoctorBaseAction#doDynamic that disables the Content-Security-Policy protection for archived artifacts and workspace files, allowing attackers able to control the content of these files to attack Jenkins users. |
|
13 |
CVE-2018-1000139 |
79 |
|
XSS |
2018-03-23 |
2018-04-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
I, Librarian version 4.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in "id" parameter in stable.php that can result in an attacker using the XSS to send a malicious script to an unsuspecting user. |
|
14 |
CVE-2018-1000137 |
352 |
|
CSRF |
2018-03-23 |
2018-04-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
I, Librarian version 4.8 and earlier contains a Cross site Request Forgery (CSRF) vulnerability in users.php that can result in the password of the admin being forced to be changed without the administrator's knowledge. |
|
15 |
CVE-2018-1000131 |
89 |
|
Sql |
2018-03-14 |
2018-04-13 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be exploitable via web site, without login. This vulnerability appears to have been fixed in 9.0.3 and later. |
|
16 |
CVE-2018-1000129 |
79 |
|
XSS |
2018-03-14 |
2018-04-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser. |
|
17 |
CVE-2018-1000119 |
200 |
|
+Info CSRF |
2018-03-07 |
2018-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0. |
|
18 |
CVE-2018-1000113 |
79 |
|
XSS |
2018-03-13 |
2018-04-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins TestLink Plugin 2.12 and earlier in TestLinkBuildAction/summary.jelly and others that allow an attacker who can control e.g. TestLink report names to have Jenkins serve arbitrary HTML and JavaScript |
|
19 |
CVE-2018-1000108 |
79 |
|
XSS |
2018-03-13 |
2018-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A cross-site scripting vulnerability exists in Jenkins CppNCSS Plugin 1.1 and earlier in AbstractProjectAction/index.jelly that allow an attacker to craft links to Jenkins URLs that run arbitrary JavaScript in the user's browser when accessed. |
|
20 |
CVE-2018-1000095 |
79 |
|
XSS |
2018-03-12 |
2018-04-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
oVirt version 4.2.0 to 4.2.2 contains a Cross Site Scripting (XSS) vulnerability in the name/description of VMs portion of the web admin application. This vulnerability appears to have been fixed in version 4.2.3. |
|
21 |
CVE-2018-1000092 |
352 |
|
CSRF |
2018-03-13 |
2018-04-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
CMS Made Simple version versions 2.2.5 contains a Cross ite Request Forgery (CSRF) vulnerability in Admin profile page that can result in Details can be found here http://dev.cmsmadesimple.org/bug/view/11715. This attack appear to be exploitable via A specially crafted web page. This vulnerability appears to have been fixed in 2.2.6. |
|
22 |
CVE-2018-1000088 |
79 |
|
XSS |
2018-03-13 |
2018-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0. |
|
23 |
CVE-2018-1000087 |
79 |
|
XSS |
2018-03-13 |
2018-04-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Scripting vulnerability in "Create New File" and "Create New Directory" input box from 'files' Tab that can result in Session Hijacking, Spread Worms,Control the browser remotely. . This attack appear to be exploitable via Attacker can execute the JavaScript into the "Create New File" and "Create New Directory" input box from 'files'. |
|
24 |
CVE-2018-1000086 |
352 |
|
Exec Code CSRF |
2018-03-13 |
2018-04-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a Cross ite Request Forgery (CSRF) vulnerability in Pym.js _onNavigateToMessage function. https://github.com/nprapps/pym.js/blob/master/src/pym.js#L573 that can result in Arbitrary javascript code execution. This attack appear to be exploitable via Attacker gains full javascript access to pages with Pym.js embeds when user visits an attacker crafted page.. This vulnerability appears to have been fixed in versions 1.3.2 and later. |
|
25 |
CVE-2018-1000084 |
79 |
|
XSS |
2018-03-13 |
2018-04-06 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WOlfCMS WolfCMS version version 0.8.3.1 contains a Stored Cross-Site Scripting vulnerability in Layout Name (from Layout tab) that can result in low privilege user can steal the cookie of admin user and compromise the admin account. This attack appear to be exploitable via Need to enter the Javascript code into Layout Name . |
|
26 |
CVE-2018-1000083 |
22 |
|
Dir. Trav. |
2018-03-13 |
2018-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Ajenti version version 2 contains a Improper Error Handling vulnerability in Login JSON request that can result in The requisition leaks a path of the server. This attack appear to be exploitable via By sending a malformed JSON, the tool responds with a traceback error that leaks a path of the server. |
|
27 |
CVE-2018-1000082 |
352 |
|
Exec Code CSRF |
2018-03-13 |
2018-04-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Ajenti version version 2 contains a Cross ite Request Forgery (CSRF) vulnerability in the command execution panel of the tool used to manage the server. that can result in Code execution on the server . This attack appear to be exploitable via Being a CSRF, victim interaction is needed, when the victim access the infected trigger of the CSRF any code that match the victim privledges on the server can be executed.. |
|
28 |
CVE-2018-1000079 |
22 |
|
Dir. Trav. |
2018-03-13 |
2018-06-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. |
|
29 |
CVE-2018-1000078 |
79 |
|
XSS |
2018-03-13 |
2018-06-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. |
|
30 |
CVE-2018-1000073 |
22 |
|
Dir. Trav. |
2018-03-13 |
2018-06-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. |
|
31 |
CVE-2018-1000062 |
79 |
|
XSS |
2018-02-09 |
2018-03-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WonderCMS version 2.4.0 contains a Stored Cross-Site Scripting on File Upload through SVG vulnerability in uploadFileAction(), 'svg' => 'image/svg+xml' that can result in An attacker can execute arbitrary script on an unsuspecting user's browser. This attack appear to be exploitable via Crafted SVG File. |
|
32 |
CVE-2018-1000053 |
352 |
|
CSRF |
2018-02-09 |
2018-03-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LimeSurvey version 3.0.0-beta.3+17110 contains a Cross ite Request Forgery (CSRF) vulnerability in Theme Uninstallation that can result in CSRF causing LimeSurvey admins to delete all their themes, rendering the website unusable. This attack appear to be exploitable via Simple HTML markup can be used to send a GET request to the affected endpoint. |
|
33 |
CVE-2018-1000044 |
89 |
|
Exec Code Sql |
2018-02-09 |
2018-02-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Security Onion Solutions Squert version 1.1.1 through 1.6.7 contains a SQL Injection vulnerability in .inc/callback.php that can result in execution of SQL commands. This attack appear to be exploitable via Web request to .inc/callback.php with the payload in the sensors parameter, used in ec(). This vulnerability appears to have been fixed in 1.7.0. |
|
34 |
CVE-2018-1000029 |
79 |
|
XSS |
2018-02-09 |
2018-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
mcholste Enterprise Log Search and Archive (ELSA) version revision 1205, commit 2cc17f1 and earlier contains a Cross Site Scripting (XSS) vulnerability in index view (/) that can result in . This attack appear to be exploitable via Payload delivered via the type, name, and value parameters of /Query/set_preference and the name and value parameters of /Query/preference. Payload executed when the user visits the index view (/). |
|
35 |
CVE-2018-1000020 |
79 |
|
XSS |
2018-02-09 |
2018-03-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher. |
|
36 |
CVE-2018-1000016 |
|
|
XSS |
2018-01-23 |
2018-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Jenkins Ant Plugin 1.7 and earlier failed to escape tool names it shows on job configuration screens, resulting in a cross-site scripting vulnerability that is exploitable only by Jenkins administrators. |
|
37 |
CVE-2018-1000014 |
352 |
|
CSRF |
2018-01-23 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Translation Assistance Plugin 1.15 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to override localized strings displayed to all users on the current Jenkins instance if the victim is a Jenkins administrator. |
|
38 |
CVE-2018-1000013 |
352 |
|
CSRF |
2018-01-23 |
2018-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds. |
|
39 |
CVE-2018-12588 |
|
|
XSS |
2018-06-19 |
2018-06-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-1 before 3.1.1-2 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the Search field). |
|
40 |
CVE-2018-12583 |
|
|
CSRF |
2018-06-19 |
2018-06-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in AKCMS 6.1. CSRF can delete an article via an admincp deleteitem action to index.php. |
|
41 |
CVE-2018-12582 |
|
|
CSRF |
2018-06-19 |
2018-06-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in AKCMS 6.1. CSRF can add an admin account via a /index.php?file=account&action=manageaccounts&job=newaccount URI. |
|
42 |
CVE-2018-12580 |
|
|
XSS |
2018-06-19 |
2018-06-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3.x through 3.3.0 for vBulletin 3 and vBulletin 4 allows self-XSS via $session['user_agent'] in the "Login Sessions" feature. |
|
43 |
CVE-2018-12560 |
|
|
Dir. Trav. |
2018-06-19 |
2018-06-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. Arbitrary unmounts can be performed by regular users via directory traversal sequences such as a home/../sys/kernel substring. |
|
44 |
CVE-2018-12559 |
|
|
Dir. Trav. Bypass |
2018-06-19 |
2018-06-19 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in the cantata-mounter D-Bus service in Cantata through 2.3.1. The mount target path check in mounter.cpp `mpOk()` is insufficient. A regular user can consequently mount a CIFS filesystem anywhere (e.g., outside of the /home directory tree) by passing directory traversal sequences such as a home/../usr substring. |
|
45 |
CVE-2018-12534 |
|
|
Sql |
2018-06-18 |
2018-06-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
A SQL injection issue was discovered in the Quick Chat plugin before 4.00 for WordPress. |
|
46 |
CVE-2018-12530 |
|
|
Dir. Trav. CSRF |
2018-06-18 |
2018-06-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF. |
|
47 |
CVE-2018-12501 |
|
|
XSS |
2018-06-16 |
2018-06-16 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
Nagios Fusion before 4.1.4 has XSS, aka TPS#13332-13335. |
|
48 |
CVE-2018-12498 |
|
|
Sql |
2018-06-15 |
2018-06-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
spider.admincp.php in iCMS v7.0.8 has SQL Injection via the id parameter in an app=spider&do=batch request to admincp.php. |
|
49 |
CVE-2018-12494 |
|
|
Dir. Trav. |
2018-06-15 |
2018-06-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue discovered in PublicCMS V4.0.20180210. There is a "Directory Traversal" and "Arbitrary file read" vulnerability via an admin/cmsTemplate/content.html?path=../ URI. |
|
50 |
CVE-2018-12493 |
|
|
Dir. Trav. |
2018-06-15 |
2018-06-15 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
An issue discovered in PublicCMS V4.0.20180210. There is a "Directory Traversal" and "Arbitrary file read" vulnerability via an admin/cmsWebFile/list.html?path=../ URI. |
