CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2019(Directory Traversal)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1010309 Exec Code Dir. Trav. 2019-07-12 2019-07-12
0.0
None ??? ??? ??? ??? ??? ???
pacman prior to version 5.1.3 is affected by: Directory Traversal. The impact is: arbitrary file placement potentially leading to arbitrary root code execution. The component is: installing a remote package via a specified URL "pacman -U <url>". The problem was located in function curl_download_internal in lib/libalpm/dload.c line 535. The attack vector is: the victim must install a remote package via a specified URL from a malicious server (or a network MitM if downloading over HTTP). The fixed version is: 5.1.3 via commit 9702703633bec2c007730006de2aeec8587dfc84.
2 CVE-2019-1010205 22 Dir. Trav. 2019-07-23 2019-07-26
5.0
None Remote Low Not required Partial None None
LINAGORA hublin latest (commit 72ead897082403126bf8df9264e70f0a9de247ff) is affected by: Directory Traversal. The impact is: The vulnerability allows an attacker to access any file (with a fixed extension) on the server. The component is: A web-view renderer; details here: https://lgtm.com/projects/g/linagora/hublin/snapshot/af9f1ce253b4ee923ff8da8f9d908d02a8e95b7f/files/backend/webserver/views.js?sort=name&dir=ASC&mode=heatmap&showExcluded=false#xb24eb0101d2aec21:1. The attack vector is: Attacker sends a specially crafted HTTP request.
3 CVE-2019-17538 Dir. Trav. 2019-10-13 2019-10-15
0.0
None ??? ??? ??? ??? ??? ???
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file reading via the web/polygon/problem/viewfile?id=1&name=../ substring.
4 CVE-2019-17537 Dir. Trav. 2019-10-13 2019-10-15
0.0
None ??? ??? ??? ??? ??? ???
Jiangnan Online Judge (aka jnoj) 0.8.0 has Directory Traversal for file deletion via the web/polygon/problem/deletefile?id=1&name=../ substring.
5 CVE-2019-17399 22 Dir. Trav. 2019-10-09 2019-10-11
7.5
None Remote Low Not required Partial Partial Partial
The Shack Forms Pro extension before 4.0.32 for Joomla! allows path traversal via a file attachment.
6 CVE-2019-17314 22 Dir. Trav. 2019-10-07 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Configurator module by an Admin user.
7 CVE-2019-17313 22 Dir. Trav. 2019-10-07 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the Studio module by a Developer user.
8 CVE-2019-17312 22 Dir. Trav. 2019-10-07 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the file function by a Regular user.
9 CVE-2019-17311 22 Dir. Trav. 2019-10-07 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
SugarCRM before 8.0.4 and 9.x before 9.0.2 allows directory traversal in the attachment function by a Regular user.
10 CVE-2019-17199 22 Dir. Trav. 2019-10-05 2019-10-10
5.0
None Remote Low Not required Partial None None
www/getfile.php in WPO WebPageTest 19.04 on Windows allows Directory Traversal (for reading arbitrary files) because of an unanchored regular expression, as demonstrated by the a.jpg\.. substring.
11 CVE-2019-17187 22 Dir. Trav. 2019-10-08 2019-10-11
5.0
None Remote Low Not required Partial None None
/var/WEB-GUI/cgi-bin/downloadfile.cgi on FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication Directory Traversal for reading arbitrary files.
12 CVE-2019-17180 22 DoS Dir. Trav. 2019-10-04 2019-10-15
7.2
None Local Low Not required Complete Complete Complete
Valve Steam Client before 2019-09-12 allows placing or appending partially controlled filesystem content, as demonstrated by file modifications on Windows in the context of NT AUTHORITY\SYSTEM. This could lead to denial of service, elevation of privilege, or unspecified other impact.
13 CVE-2019-17175 22 Dir. Trav. 2019-10-04 2019-10-08
5.0
None Remote Low Not required Partial None None
joyplus-cms 1.6.0 allows manager/admin_pic.php?rootpath= absolute path traversal.
14 CVE-2019-17109 22 Dir. Trav. 2019-10-09 2019-10-11
4.0
None Remote Low Single system None Partial None
Koji through 1.18.0 allows remote Directory Traversal, with resultant Privilege Escalation.
15 CVE-2019-17073 22 Dir. Trav. 2019-10-01 2019-10-04
5.5
None Remote Low Single system None Partial Partial
emlog through 6.0.0beta allows remote authenticated users to delete arbitrary files via admin/template.php?action=del&tpl=../ directory traversal.
16 CVE-2019-16903 22 Dir. Trav. 2019-09-26 2019-09-26
5.0
None Remote Low Not required Partial None None
Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServer.cpp because it checks for /.. where it should be checking for ../ instead.
17 CVE-2019-16868 22 Dir. Trav. 2019-09-25 2019-09-26
7.5
None Remote Low Not required Partial Partial Partial
emlog through 6.0.0beta has an arbitrary file deletion vulnerability via an admin/data.php?action=dell_all_bak request with directory traversal sequences in the bak[] parameter.
18 CVE-2019-16680 22 Dir. Trav. 2019-09-21 2019-09-25
4.3
None Remote Medium Not required None Partial None
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
19 CVE-2019-16679 22 Dir. Trav. File Inclusion 2019-09-21 2019-09-23
4.0
None Remote Low Single system Partial None None
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.
20 CVE-2019-16511 22 Dir. Trav. 2019-09-19 2019-09-20
5.8
None Remote Medium Not required None Partial Partial
An issue was discovered in DTF in FireGiant WiX Toolset before 3.11.2. Microsoft.Deployment.Compression.Cab.dll and Microsoft.Deployment.Compression.Zip.dll allow directory traversal during CAB or ZIP archive extraction, because the full name of an archive file (even with a ../ sequence) is concatenated with the destination path.
21 CVE-2019-16279 DoS Dir. Trav. 2019-10-14 2019-10-15
0.0
None ??? ??? ??? ??? ??? ???
Directory Traversal in the function SSL_accept in nostromo nhttpd through 1.9.6 allows an attacker to trigger a denial of service via a crafted HTTP request.
22 CVE-2019-16278 Exec Code Dir. Trav. 2019-10-14 2019-10-15
0.0
None ??? ??? ??? ??? ??? ???
Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.
23 CVE-2019-16198 22 Dir. Trav. 2019-10-03 2019-10-09
4.0
None Remote Low Single system Partial None None
KSLabs KSWEB 3.93 allows ../ directory traversal, as demonstrated by the hostFile parameter.
24 CVE-2019-16132 22 Dir. Trav. 2019-09-08 2019-09-10
5.5
None Remote Low Single system None Partial Partial
An issue was discovered in OKLite v1.2.25. framework/admin/tpl_control.php allows remote attackers to delete arbitrary files via a title directory-traversal pathname followed by a crafted substring.
25 CVE-2019-16123 22 Dir. Trav. 2019-09-08 2019-09-09
5.0
None Remote Low Not required Partial None None
In Kartatopia PilusCart 1.4.1, the parameter filename in the file catalog.php is mishandled, leading to ../ Local File Disclosure.
26 CVE-2019-16105 22 Dir. Trav. 2019-09-08 2019-09-09
4.0
None Remote Low Single system Partial None None
Silver Peak EdgeConnect SD-WAN before 8.1.7.x allows ..%2f directory traversal via a rest/json/configdb/download/ URI.
27 CVE-2019-15952 22 Exec Code +Priv Dir. Trav. 2019-09-05 2019-09-06
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the Pages privilege can conduct a path traversal attack (../) to include .html files that are outside the permitted directory. Also, if a page contains a template directive, then the directive will be server side processed. Thus, if a user can control the content of a .html file, then they can inject a payload with a malicious template directive to gain Remote Command Execution. The exploit will work only with the .html extension.
28 CVE-2019-15822 22 Dir. Trav. 2019-08-30 2019-09-03
7.5
None Remote Low Not required Partial Partial Partial
The wps-child-theme-generator plugin before 1.2 for WordPress has classes/helpers.php directory traversal.
29 CVE-2019-15714 22 Dir. Trav. 2019-08-28 2019-09-04
5.0
None Remote Low Not required Partial None None
cli/lib/main.js in Entropic before 2019-06-13 does not reject / and \ in command names, which might allow a directory traversal attack in unusual situations.
30 CVE-2019-15630 22 Dir. Trav. 2019-08-30 2019-09-05
5.0
None Remote Low Not required Partial None None
Directory Traversal in APIkit, HTTP connector, and OAuth2 Provider components in MuleSoft Mule Runtime 3.2.0 and higher released before August 1 2019, MuleSoft Mule Runtime 4.1.0 and higher released before August 1 2019, and all versions of MuleSoft API Gateway released before August 1 2019 allow remote attackers to read files accessible to the Mule process.
31 CVE-2019-15520 22 Dir. Trav. 2019-08-23 2019-08-27
5.0
None Remote Low Not required Partial None None
comelz Quark before 2019-03-26 allows directory traversal to locations outside of the project directory.
32 CVE-2019-15519 22 Dir. Trav. 2019-08-23 2019-08-30
10.0
None Remote Low Not required Complete Complete Complete
Power-Response before 2019-02-02 allows directory traversal (up to the application's main directory) via a plugin.
33 CVE-2019-15518 22 Dir. Trav. 2019-08-23 2019-08-27
5.0
None Remote Low Not required Partial None None
Swoole before 4.2.13 allows directory traversal in swPort_http_static_handler.
34 CVE-2019-15517 22 Dir. Trav. 2019-08-23 2019-08-27
4.9
None Local Low Not required Complete None None
jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal.
35 CVE-2019-15516 22 Dir. Trav. 2019-08-23 2019-08-27
5.0
None Remote Low Not required Partial None None
Cuberite before 2019-06-11 allows webadmin directory traversal via ....// because the protection mechanism simply removes one ../ substring.
36 CVE-2019-15326 22 Dir. Trav. 2019-08-22 2019-08-23
5.0
None Remote Low Not required None Partial None
The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal.
37 CVE-2019-15323 22 Dir. Trav. 2019-08-22 2019-09-06
5.0
None Remote Low Not required Partial None None
The ad-inserter plugin before 2.4.20 for WordPress has path traversal.
38 CVE-2019-14994 22 Dir. Trav. 2019-09-19 2019-09-23
4.3
None Remote Medium Not required Partial None None
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.
39 CVE-2019-14914 22 Dir. Trav. 2019-09-20 2019-09-23
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in PRiSE adAS 1.7.0. The path is not properly escaped in the medatadata_del method, leading to an arbitrary file read and deletion via Directory Traversal.
40 CVE-2019-14798 22 Dir. Trav. File Inclusion 2019-08-09 2019-08-14
4.0
None Remote Low Single system Partial None None
The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter.
41 CVE-2019-14788 22 Exec Code Dir. Trav. 2019-08-15 2019-08-22
6.5
None Remote Low Single system Partial Partial Partial
wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value.
42 CVE-2019-14751 22 Dir. Trav. 2019-08-22 2019-08-29
5.0
None Remote Low Not required None Partial None
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
43 CVE-2019-14701 22 DoS Dir. Trav. 2019-08-06 2019-08-13
5.0
None Remote Low Not required None None Partial
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can trigger read operations on an arbitrary file via Path Traversal in the TZ parameter, but cannot retrieve the data that is read. This causes a denial of service if the filename is, for example, /dev/random.
44 CVE-2019-14700 22 Dir. Trav. 2019-08-06 2019-08-13
5.0
None Remote Low Not required Partial None None
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. There is disclosure of the existence of arbitrary files via Path Traversal in HTTPD. This occurs because the filename specified in the TZ parameter is accessed with a substantial delay if that file exists.
45 CVE-2019-14530 22 Dir. Trav. 2019-08-13 2019-08-19
4.0
None Remote Low Single system Partial None None
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.
46 CVE-2019-14521 22 Dir. Trav. 2019-08-05 2019-08-13
5.0
None Remote Low Not required None Partial None
The api/admin/logoupload Logo File upload feature in EMCA Energy Logserver 6.1.2 allows attackers to send any kind of file to any location on the server via path traversal in the filename parameter.
47 CVE-2019-14452 22 Dir. Trav. 2019-07-30 2019-08-05
5.0
None Remote Low Not required None Partial None
Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.
48 CVE-2019-14418 22 Dir. Trav. 2019-07-29 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
An issue was discovered in Veritas Resiliency Platform (VRP) before 3.4 HF1. When uploading an application bundle, a directory traversal vulnerability allows a VRP user with sufficient privileges to overwrite any file in the VRP virtual machine. A malicious VRP user could use this to replace existing files to take control of the VRP virtual machine.
49 CVE-2019-14362 22 Dir. Trav. 2019-07-28 2019-08-14
5.5
None Remote Low Single system Partial Partial None
Openbravo ERP before 3.0PR19Q1.3 is affected by Directory Traversal. This vulnerability could allow remote authenticated attackers to replace a file on the server via the getAttachmentDirectoryForNewAttachment inpKey value.
50 CVE-2019-14322 22 Dir. Trav. 2019-07-28 2019-08-06
5.0
None Remote Low Not required Partial None None
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
Total number of vulnerabilities : 280   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.