Total
57 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2360 | 1 Lollms | 1 Lollms Web Ui | 2024-11-21 | N/A | 9.8 CRITICAL |
| parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these settings to execute arbitrary code on the targeted server. The issue affects the latest version of the software. The vulnerability stems from the application's handling of the 'discussion_db_name' and 'pdf_latex_path' parameters, which do not properly validate file paths, allowing for directory traversal. This vulnerability can also lead to further file exposure and other attack vectors by manipulating the 'discussion_db_name' parameter. | |||||
| CVE-2024-21518 | 1 Opencart | 1 Opencart | 2024-11-21 | N/A | 7.2 HIGH |
| This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An attacker can create arbitrary files in the web root of the application and overwrite other existing files by exploiting this vulnerability. | |||||
| CVE-2023-6977 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 7.5 HIGH |
| This vulnerability enables malicious users to read sensitive files on the server. | |||||
| CVE-2023-6975 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 9.8 CRITICAL |
| A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. | |||||
| CVE-2023-6909 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 7.5 HIGH |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. | |||||
| CVE-2023-6831 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 8.1 HIGH |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. | |||||
| CVE-2023-6130 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 8.8 HIGH |
| Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2023-6023 | 1 Vertaai | 1 Modeldb | 2024-11-21 | N/A | 7.5 HIGH |
| An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter. | |||||
| CVE-2023-6021 | 1 Ray Project | 1 Ray | 2024-11-21 | N/A | 7.5 HIGH |
| LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 | |||||
| CVE-2023-2984 | 2 Microsoft, Pimcore | 2 Windows, Pimcore | 2024-11-21 | N/A | 8.8 HIGH |
| Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. | |||||
| CVE-2023-2780 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 9.8 CRITICAL |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. | |||||
| CVE-2023-1177 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 9.3 CRITICAL |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. | |||||
| CVE-2023-1034 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 8.8 HIGH |
| Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9. | |||||
| CVE-2023-0316 | 1 Froxlor | 1 Froxlor | 2024-11-21 | N/A | 5.5 MEDIUM |
| Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0. | |||||
| CVE-2023-0104 | 1 Weintek | 1 Easybuilder Pro | 2024-11-21 | N/A | 9.3 CRITICAL |
| The listed versions for Weintek EasyBuilder Pro are vulnerable to a ZipSlip attack caused by decompiling a malicious project file. This may allow an attacker to gain control of the user’s computer or gain access to sensitive data. | |||||
| CVE-2022-2788 | 1 Emerson | 1 Electric\'s Proficy | 2024-11-21 | N/A | 3.9 LOW |
| Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code. | |||||
| CVE-2024-7962 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2024-11-01 | N/A | 7.5 HIGH |
| An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json extension and, except for the first line, every other line must contain commas. This vulnerability allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials. | |||||