CWE-22

High likelihood

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Parent: CWE-706 - Use of Incorrectly-Resolved Name or Reference

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

9,143 vulnerabilities with CWE-22
CVE-2024-52293 HIGH
Craft CMS 4.0.0-4.12.1 - Remote Code Execution via Twig SSTI
CVSS 7.2
CVE-2024-48510 CRITICAL
Mihula Prodotnetzip < 1.19.0 - Path Traversal
CVSS 9.8
CVE-2024-11150 CRITICAL
WordPress User Extra Fields <= 16.6 - Unauthenticated Arbitrary File Deletion via delete_tmp_uploaded_file()
CVSS 9.8
CVE-2024-10816 HIGH
LUNA RADIO PLAYER <6.24.01.24 - Path Traversal
CVSS 7.5
CVE-2024-34787 HIGH
Ivanti Endpoint Manager < 2022 SU6 November Security Update - Unauthenticated Path Traversal
CVSS 7.8
CVE-2024-35274 LOW
Fortinet FortiAnalyzer and FortiManager - Path Traversal via CLI Requests
CVSS 2.3
CVE-2024-32117 MEDIUM
Fortinet Fortianalyzer < 7.2.6 - Path Traversal
CVSS 4.9
CVE-2024-32116 MEDIUM
Fortinet FortiManager 7.2.0-7.4.2 and FortiAnalyzer 7.2.0-7.4.2 - Authenticated Path Traversal via CLI Requests
CVSS 5.1
CVE-2024-50336 MEDIUM
matrix-js-sdk < 34.11.1 - Path Traversal via Crafted MXC URIs
CVE-2024-50329 HIGH
Ivanti Endpoint Manager < 2022 SU6 November Security Update - Unauthenticated Path Traversal and Remote Code Execution
CVSS 8.8
CVE-2024-50324 HIGH
Ivanti Endpoint Manager < 2022 SU6 November Security Update - Authenticated Path Traversal and Remote Code Execution
CVSS 7.2
CVE-2024-50322 HIGH
Ivanti Endpoint Manager Path Traversal (Unauthenticated)
CVSS 7.8
CVE-2024-50559 MEDIUM
Siemens SCALANCE and RUGGEDCOM Firmware < 8.2 - Authenticated Path Traversal via Certificate Filename
CVSS 4.3
CVE-2024-46888 CRITICAL
SINEC INS < V1.0 SP2 Update 3 - Authenticated Path Traversal and Arbitrary File Write via SFTP File Operations
CVSS 9.9
CVE-2024-11123 MEDIUM
Lingdang CRM < 8.6.4.3 - Path Traversal via PDF URL Parameter
CVSS 4.3
CVE-2024-10672 LOW
Multiple Page Generator Plugin - Path Traversal
CVSS 2.7
CVE-2024-51748 CRITICAL
Kanboard < 1.2.42 - Authenticated Remote Code Execution via Path Traversal in Language Setting
CVSS 9.1
CVE-2024-51747 CRITICAL
kanboard < 1.2.42 - Authenticated Path Traversal and Arbitrary File Read via SQLite Database Manipulation
CVSS 9.1
CVE-2024-46954 HIGH
Ghostscript < 10.04.0 - Path Traversal via Overlong UTF-8 Encoding
CVSS 7.8
CVE-2024-10470 CRITICAL
WPLMS Learning Management System for WordPress <= 4.962 - Arbitrary File Read/Deletion via Path Validation
CVSS 9.8
CVE-2024-10626 HIGH
WooCommerce Support Ticket System <= 17.7 - Authenticated Arbitrary File Deletion via delete_uploaded_file()
CVSS 8.8
CVE-2024-10625 CRITICAL
WooCommerce Support Ticket System <= 17.7 - Unauthenticated Arbitrary File Deletion via delete_tmp_uploaded_file()
CVSS 9.8
CVE-2024-51998 HIGH
changedetection.io - Info Disclosure
CVSS 8.6
CVE-2024-43440 HIGH
moodle < 4.1.12 - Path Traversal via Block Backup Restore
CVSS 7.5
CVE-2024-43434 HIGH
Moodle - Cross-Site Request Forgery in Feedback Module Bulk Message Sending
CVSS 8.1
Details
Vulnerabilities 9,143
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits