Total
407 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-43414 | 1 Jenkins | 1 Nunit | 2025-05-08 | 5.3 Medium |
| Jenkins NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results, allowing attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller. | ||||
| CVE-2022-23738 | 1 Github | 1 Enterprise Server | 2025-05-06 | 5.7 Medium |
| An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server instance, be able to create a public repository, and have a site administrator visit a specially crafted URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2021-39316 | 1 Digitalzoomstudio | 1 Zoomsounds | 2025-05-05 | 7.5 High |
| The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the `dzsap_download` action using directory traversal in the `link` parameter. | ||||
| CVE-2022-41710 | 1 Markdownify Project | 1 Markdownify | 2025-05-05 | 5.5 Medium |
| Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. | ||||
| CVE-2022-43449 | 1 Openharmony | 1 Openharmony | 2025-05-02 | 6.2 Medium |
| OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000. | ||||
| CVE-2022-45129 | 1 Payara | 1 Payara | 2025-05-01 | 7.5 High |
| Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0. | ||||
| CVE-2022-3691 | 1 Fluenx | 1 Deepl Pro Api Translation | 2025-04-30 | 7.5 High |
| The DeepL Pro API translation plugin WordPress plugin before 1.7.5 discloses sensitive information (including the DeepL API key) in files that are publicly accessible to an external, unauthenticated visitor. | ||||
| CVE-2023-2766 | 1 Weaver | 1 E-office | 2025-04-25 | 5.3 Medium |
| A vulnerability was found in Weaver OA 9.5 and classified as problematic. This issue affects some unknown processing of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini. The manipulation leads to files or directories accessible. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-229271. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2022-44356 | 1 Wavlink | 2 Wl-wn531g3, Wl-wn531g3 Firmware | 2025-04-25 | 7.5 High |
| WAVLINK Quantum D4G (WL-WN531G3) running firmware versions M31G3.V5030.201204 and M31G3.V5030.200325 has an access control issue which allows unauthenticated attackers to download configuration data and log files. | ||||
| CVE-2022-23621 | 1 Xwiki | 1 Xwiki | 2025-04-23 | 5.5 Medium |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right. | ||||
| CVE-2023-3155 | 1 Imagely | 1 Nextgen Gallery | 2025-04-23 | 7.2 High |
| The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server. | ||||
| CVE-2022-45227 | 1 Dragino | 2 Lg01 Lora, Lg01 Lora Firmware | 2025-04-23 | 7.5 High |
| The web portal of Dragino Lora LG01 18ed40 IoT v4.3.4 has the directory listing at the URL https://10.10.20.74/lib/. This address has a backup file which can be downloaded without any authentication. | ||||
| CVE-2024-45894 | 1 Bluecms Project | 1 Bluecms | 2025-04-23 | 4.9 Medium |
| BlueCMS 1.6 suffers from Arbitrary File Deletion via the file_name parameter in an /admin/database.php?act=del request. | ||||
| CVE-2022-39208 | 1 Onedev Project | 1 Onedev | 2025-04-22 | 7.5 High |
| Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2017-2551 | 1 Inpsyde | 1 Backwpup | 2025-04-20 | N/A |
| Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possible brute forcing of backup file for download. | ||||
| CVE-2015-3248 | 2 Openhpi, Redhat | 2 Openhpi, Enterprise Linux | 2025-04-20 | N/A |
| openhpi/Makefile.am in OpenHPI before 3.6.0 uses world-writable permissions for /var/lib/openhpi directory, which allows local users, when quotas are not properly setup, to fill the filesystem hosting /var/lib and cause a denial of service (disk consumption). | ||||
| CVE-2017-15104 | 2 Heketi Project, Redhat | 3 Heketi, Enterprise Linux, Storage | 2025-04-20 | 7.8 High |
| An access flaw was found in Heketi 5, where the heketi.json configuration file was world readable. An attacker having local access to the Heketi server could read plain-text passwords from the heketi.json file. | ||||
| CVE-2017-14942 | 1 Intelbras | 2 Wrn 150, Wrn 150 Firmware | 2025-04-20 | N/A |
| Intelbras WRN 150 devices allow remote attackers to read the configuration file, and consequently bypass authentication, via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg containing an admin:language=pt cookie. | ||||
| CVE-2017-7737 | 1 Fortinet | 1 Fortiweb | 2025-04-20 | N/A |
| An information disclosure vulnerability in Fortinet FortiWeb 5.8.2 and below versions allows logged-in admin user to view SNMPv3 user password in cleartext in webui via the HTML source code. | ||||
| CVE-2017-1308 | 1 Ibm | 1 Daeja Viewone | 2025-04-20 | N/A |
| IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 could allow an authenticated attacker to download files they should not have access to due to improper access controls. IBM X-Force ID: 125462. | ||||