CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Description
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79
CVEs mapped to this weakness (5,488)
page 198 of 275| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-3515 | 0.03 | — | 0.02 | Oct 1, 2009 | Directory traversal vulnerability in dnet_admin/index.php in d.net CMS allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the type parameter. | |||
| CVE-2009-3508 | 0.03 | — | 0.02 | Oct 1, 2009 | Multiple directory traversal vulnerabilities in MUJE CMS 1.0.4.34 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) _class parameter to admin.php and the (2) url parameter to install/install.php; and allow remote authenticated… | |||
| CVE-2009-3507 | 0.03 | — | 0.02 | Oct 1, 2009 | Directory traversal vulnerability in modules.php in CMSphp 0.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the mod_file parameter. | |||
| CVE-2009-3425 | 0.03 | — | 0.03 | Sep 25, 2009 | Directory traversal vulnerability in includes/inc.thcms_admin_dirtree.php in MaxCMS 3.11.20b allows remote attackers to read arbitrary files via directory traversal sequences in the thCMS_root parameter. | |||
| CVE-2009-3366 | 0.03 | — | 0.03 | Sep 24, 2009 | Directory traversal vulnerability in navigation.php in An image gallery 1.0 allows remote attackers to list arbitrary directories via a .. (dot dot) in the path parameter. | |||
| CVE-2009-3219 | 0.03 | — | 0.04 | Sep 16, 2009 | Directory traversal vulnerability in a.php in AR Web Content Manager (AWCM) 2.1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the a parameter. | |||
| CVE-2009-3216 | 0.03 | — | 0.02 | Sep 16, 2009 | Multiple directory traversal vulnerabilities in iWiccle 1.01, when magic_quotes_gpc is disabled, allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the show parameter to the admin module, reachable through index.php; or (2) the module parameter to index.php. | |||
| CVE-2009-3211 | 0.03 | — | 0.02 | Sep 16, 2009 | Directory traversal vulnerability in VivaPrograms Infinity Script 2.x.x, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the options[style_dir] parameter to the default URI. | |||
| CVE-2009-3181 | 0.03 | — | 0.02 | Sep 11, 2009 | Directory traversal vulnerability in Anantasoft Gazelle CMS 1.0 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the customizetemplate parameter in a direct request to admin/settemplate.php. | |||
| CVE-2009-3167 | 0.03 | — | 0.02 | Sep 11, 2009 | Directory traversal vulnerability in index.php in Anantasoft Gazelle CMS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter. | |||
| CVE-2009-3151 | 0.03 | — | 0.03 | Sep 10, 2009 | Directory traversal vulnerability in actions/downloadFile.php in Ultrize TimeSheet 1.2.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter. | |||
| CVE-2009-3149 | 0.03 | — | 0.03 | Sep 10, 2009 | Directory traversal vulnerability in _css/js.php in Elgg 1.5, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the js parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2009-3124 | 0.03 | — | 0.03 | Sep 9, 2009 | Directory traversal vulnerability in get_message.cgi in QuarkMail allows remote attackers to read arbitrary files via a .. (dot dot) in the tf parameter. | |||
| CVE-2009-3123 | 0.03 | — | 0.03 | Sep 9, 2009 | Directory traversal vulnerability in gallery/gallery.php in Wap-Motor before 18.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the image parameter. | |||
| CVE-2008-7178 | 0.03 | — | 0.02 | Sep 8, 2009 | Directory traversal vulnerability in Uploader module 1.1 for XOOPS allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a downloadfile action to index.php. | |||
| CVE-2008-7176 | 0.03 | — | 0.02 | Sep 8, 2009 | Multiple directory traversal vulnerabilities in Facil CMS 0.1RC allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) change_lang parameter to index.php or (2) modload parameter to modules.php. | |||
| CVE-2008-7163 | 0.03 | — | 0.04 | Sep 4, 2009 | Directory traversal vulnerability in mods/Integrated/index.php in SineCMS 2.3.5 and earlier, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the sine[config][index_main] parameter. | |||
| CVE-2009-3064 | 0.03 | — | 0.02 | Sep 3, 2009 | Directory traversal vulnerability in debugger/debug_php.php in Ve-EDIT 0.1.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the _GET[filename] parameter. | |||
| CVE-2009-3053 | 0.03 | — | 0.06 | Sep 3, 2009 | Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php. | |||
| CVE-2008-7142 | 0.03 | — | 0.03 | Sep 1, 2009 | Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter. |
- CVE-2009-3515Oct 1, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in dnet_admin/index.php in d.net CMS allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the type parameter.
- CVE-2009-3508Oct 1, 2009risk 0.03cvss —epss 0.02
Multiple directory traversal vulnerabilities in MUJE CMS 1.0.4.34 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) _class parameter to admin.php and the (2) url parameter to install/install.php; and allow remote authenticated…
- CVE-2009-3507Oct 1, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in modules.php in CMSphp 0.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the mod_file parameter.
- CVE-2009-3425Sep 25, 2009risk 0.03cvss —epss 0.03
Directory traversal vulnerability in includes/inc.thcms_admin_dirtree.php in MaxCMS 3.11.20b allows remote attackers to read arbitrary files via directory traversal sequences in the thCMS_root parameter.
- CVE-2009-3366Sep 24, 2009risk 0.03cvss —epss 0.03
Directory traversal vulnerability in navigation.php in An image gallery 1.0 allows remote attackers to list arbitrary directories via a .. (dot dot) in the path parameter.
- CVE-2009-3219Sep 16, 2009risk 0.03cvss —epss 0.04
Directory traversal vulnerability in a.php in AR Web Content Manager (AWCM) 2.1, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the a parameter.
- CVE-2009-3216Sep 16, 2009risk 0.03cvss —epss 0.02
Multiple directory traversal vulnerabilities in iWiccle 1.01, when magic_quotes_gpc is disabled, allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the show parameter to the admin module, reachable through index.php; or (2) the module parameter to index.php.
- CVE-2009-3211Sep 16, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in VivaPrograms Infinity Script 2.x.x, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the options[style_dir] parameter to the default URI.
- CVE-2009-3181Sep 11, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in Anantasoft Gazelle CMS 1.0 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the customizetemplate parameter in a direct request to admin/settemplate.php.
- CVE-2009-3167Sep 11, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in index.php in Anantasoft Gazelle CMS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter.
- CVE-2009-3151Sep 10, 2009risk 0.03cvss —epss 0.03
Directory traversal vulnerability in actions/downloadFile.php in Ultrize TimeSheet 1.2.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter.
- CVE-2009-3149Sep 10, 2009risk 0.03cvss —epss 0.03
Directory traversal vulnerability in _css/js.php in Elgg 1.5, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the js parameter. NOTE: some of these details are obtained from third party information.
- CVE-2009-3124Sep 9, 2009risk 0.03cvss —epss 0.03
Directory traversal vulnerability in get_message.cgi in QuarkMail allows remote attackers to read arbitrary files via a .. (dot dot) in the tf parameter.
- CVE-2009-3123Sep 9, 2009risk 0.03cvss —epss 0.03
Directory traversal vulnerability in gallery/gallery.php in Wap-Motor before 18.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the image parameter.
- CVE-2008-7178Sep 8, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in Uploader module 1.1 for XOOPS allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a downloadfile action to index.php.
- CVE-2008-7176Sep 8, 2009risk 0.03cvss —epss 0.02
Multiple directory traversal vulnerabilities in Facil CMS 0.1RC allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) change_lang parameter to index.php or (2) modload parameter to modules.php.
- CVE-2008-7163Sep 4, 2009risk 0.03cvss —epss 0.04
Directory traversal vulnerability in mods/Integrated/index.php in SineCMS 2.3.5 and earlier, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the sine[config][index_main] parameter.
- CVE-2009-3064Sep 3, 2009risk 0.03cvss —epss 0.02
Directory traversal vulnerability in debugger/debug_php.php in Ve-EDIT 0.1.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the _GET[filename] parameter.
- CVE-2009-3053Sep 3, 2009risk 0.03cvss —epss 0.06
Directory traversal vulnerability in the Agora (com_agora) component 3.0.0b for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter to the avatars page, reachable through index.php.
- CVE-2008-7142Sep 1, 2009risk 0.03cvss —epss 0.03
Absolute path traversal vulnerability in the Disk Usage module (frontend/x/diskusage/index.html) in cPanel 11.18.3 allows remote attackers to list arbitrary directories via the showtree parameter.