CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

9,264 vulnerabilities with CWE-22
CVE-2019-7236 HIGH
idreamsoft iCMS <7.0.13 - Path Traversal
CVSS 7.5
CVE-2019-7235 HIGH
idreamsoft iCMS 7.0.13 - Path Traversal
CVSS 7.5
CVE-2019-7234 CRITICAL
idreamsoft iCMS 7.0.13 - Path Traversal
CVSS 9.1
CVE-2019-7160 CRITICAL
idreamsoft iCMS 7.0.13 - Path Traversal
CVSS 9.8
CVE-2019-6500 HIGH
Axway File Transfer Direct 2.7.1 - Unauthenticated Path Traversal via %2e Encoding Bypass
CVSS 7.5
CVE-2019-5887 HIGH
ShopXO 1.2.0 - Path Traversal via UnlinkDir Method
CVSS 7.5
CVE-2019-3580 HIGH
OpenRefine < 3.1 - Path Traversal and Arbitrary File Write via Project File Import
CVSS 7.5
CVE-2018-25421 MEDIUM
Open STA Manager 2.3 Arbitrary File Download via Path Traversal
CVSS 6.5
CVE-2018-25408 HIGH
The Open ISES Project 3.30A Path Traversal Arbitrary File Download
CVSS 7.5
CVE-2018-25393 MEDIUM
Navigate CMS 2.8.5 Path Traversal via navigate_download.php
CVSS 6.5
CVE-2018-25374 HIGH
Softneta MedDream PACS Server Premium 6.7.1.1 Directory Traversal
CVSS 7.5
CVE-2018-25365 HIGH
PCViewer vt1000 Directory Traversal via GET Request
CVSS 7.5
CVE-2018-25326 HIGH
Google Drive for WordPress 2.2 Path Traversal RCE via gdrive-ajaxs.php
CVSS 7.5
CVE-2018-25325 HIGH
Woocommerce CSV Importer 3.3.6 Path Traversal File Deletion
CVSS 7.5
CVE-2018-25312 MEDIUM
LifeSize ClearSea 3.1.4 Directory Traversal Remote Code Execution
CVSS 6.5
CVE-2018-25311 MEDIUM
VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2)
CVSS 6.5
CVE-2018-25308 HIGH
BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution
CVSS 8.8
CVE-2018-25194 HIGH
Nominas 0.27 - Unauthenticated SQL Injection via Username Parameter
CVSS 8.2
CVE-2018-25184 MEDIUM
Surreal ToDo 0.6.1.2 - Path Traversal
CVSS 6.2
CVE-2018-25181 HIGH
Musicco 2.0.0 - Unauthenticated Path Traversal via Parent Parameter
CVSS 7.5
CVE-2018-25178 HIGH
rul10 easyndexer 1.0 - Unauthenticated Arbitrary File Download via showtif.php File Parameter
CVSS 7.5
CVE-2018-25144 HIGH
Microhard Systems IPn4G 1.1.0 - Auth Bypass
CVSS 8.4
CVE-2018-25124 HIGH
PacsOne Server <6.6.2 - Path Traversal
CVE-2018-25113 HIGH
Dicoogle PACS Web Server <2.5.0 - Path Traversal
CVE-2018-25094 LOW
Online Accounting System <=1.4.0 - Path Traversal
CVSS 3.5
Details
Vulnerabilities 9,264
Exploit Likelihood High