CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

CWE-706

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (3,734)

page 41 of 187

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2024-47351	Hig	0.49	7.5	0.01	Oct 16, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The CSSIgniter Team MaxSlider maxslider allows Path Traversal.This issue affects MaxSlider: from n/a through <= 1.2.3.
CVE-2024-44034	Hig	0.49	7.5	0.01	Oct 5, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Martin Greenwood WPSPX wpspx allows PHP Local File Inclusion.This issue affects WPSPX: from n/a through <= 1.0.2.
CVE-2024-44018	Hig	0.49	7.5	0.01	Oct 5, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in istmoplugins Instant Chat Floating Button for WordPress Websites instant-chat-wp allows PHP Local File Inclusion.This issue affects Instant Chat Floating Button for WordPress Websites: from n/a through <= 1.0.5.
CVE-2024-44016	Hig	0.49	7.5	0.01	Oct 5, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in amarksteadman Podiant podiant allows PHP Local File Inclusion.This issue affects Podiant: from n/a through <= 1.1.
CVE-2024-44015	Hig	0.49	7.5	0.01	Oct 5, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in istmoplugins Users Control users-control allows PHP Local File Inclusion.This issue affects Users Control: from n/a through <= 1.0.16.
CVE-2024-44013	Hig	0.49	7.5	0.01	Oct 5, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Innate Images LLC VR Calendar vr-calendar-sync allows PHP Local File Inclusion.This issue affects VR Calendar: from n/a through <= 2.4.0.
CVE-2024-44012	Hig	0.49	7.5	0.01	Oct 5, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpdev33 WP Newsletter Subscription wp-newsletter-subscription allows PHP Local File Inclusion.This issue affects WP Newsletter Subscription: from n/a through <= 1.1.
CVE-2024-44011	Hig	0.49	7.5	0.01	Oct 5, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ExpressTech Systems WP Ticket Ultra Help Desk & Support Plugin wp-ticket-ultra allows PHP Local File Inclusion.This issue affects WP Ticket Ultra Help Desk & Support Plugin: from n/a through <= 1.0.5.
CVE-2024-44017	Hig	0.49	7.5	0.01	Oct 2, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in MinHyeong Lim MH Board mh-board allows PHP Local File Inclusion.This issue affects MH Board: from n/a through <= 1.3.2.1.
CVE-2024-44825	Hig	0.49	7.5	0.02	Sep 25, 2024	Directory Traversal vulnerability in Centro de Tecnologia da Informaco Renato Archer InVesalius3 v3.1.99995 allows attackers to write arbitrary files unto the system via a crafted .inv3 file.
CVE-2024-38816	Hig	0.49	7.5	0.94	Sep 13, 2024	Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty
CVE-2024-43022	Hig	0.49	7.5	0.00	Aug 21, 2024	An issue in the downloader.php component of TOSEI online store management system v4.02, v4.03, and v4.04 allows attackers to execute a directory traversal.
CVE-2024-43345	Hig	0.49	7.5	0.01	Aug 19, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PluginOps Landing Page Builder allows PHP Local File Inclusion.This issue affects Landing Page Builder: from n/a through 1.5.2.0.
CVE-2024-41695	Hig	0.49	7.5	0.01	Jul 30, 2024	Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory
CVE-2024-36527	Med	0.49	6.5	0.89	Jun 17, 2024	puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.
CVE-2024-5637	Hig	0.49	7.5	0.06	Jun 7, 2024	The Market Exporter plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'remove_files' function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use path traversal to delete arbitrary files on the server.
CVE-2023-49753	Hig	0.49	7.5	0.01	May 17, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spoonthemes Adifier System allows PHP Local File Inclusion.This issue affects Adifier System: from n/a before 3.1.4.
CVE-2023-35881	Hig	0.49	7.6	0.01	May 17, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WooCommerce WooCommerce One Page Checkout allows PHP Local File Inclusion.This issue affects WooCommerce One Page Checkout: from n/a through 2.3.0.
CVE-2023-23700	Hig	0.49	7.6	0.01	May 17, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OceanWP allows PHP Local File Inclusion.This issue affects OceanWP: from n/a through 3.4.1.
CVE-2023-40297	Hig	0.49	7.5	0.03	May 15, 2024	Stakater Forecastle 1.0.139 and before allows %5C../ directory traversal in the website component.

CVE-2024-47351HigOct 16, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The CSSIgniter Team MaxSlider maxslider allows Path Traversal.This issue affects MaxSlider: from n/a through <= 1.2.3.
CVE-2024-44034HigOct 5, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Martin Greenwood WPSPX wpspx allows PHP Local File Inclusion.This issue affects WPSPX: from n/a through <= 1.0.2.
CVE-2024-44018HigOct 5, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in istmoplugins Instant Chat Floating Button for WordPress Websites instant-chat-wp allows PHP Local File Inclusion.This issue affects Instant Chat Floating Button for WordPress Websites: from n/a through <= 1.0.5.
CVE-2024-44016HigOct 5, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in amarksteadman Podiant podiant allows PHP Local File Inclusion.This issue affects Podiant: from n/a through <= 1.1.
CVE-2024-44015HigOct 5, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in istmoplugins Users Control users-control allows PHP Local File Inclusion.This issue affects Users Control: from n/a through <= 1.0.16.
CVE-2024-44013HigOct 5, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Innate Images LLC VR Calendar vr-calendar-sync allows PHP Local File Inclusion.This issue affects VR Calendar: from n/a through <= 2.4.0.
CVE-2024-44012HigOct 5, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpdev33 WP Newsletter Subscription wp-newsletter-subscription allows PHP Local File Inclusion.This issue affects WP Newsletter Subscription: from n/a through <= 1.1.
CVE-2024-44011HigOct 5, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ExpressTech Systems WP Ticket Ultra Help Desk & Support Plugin wp-ticket-ultra allows PHP Local File Inclusion.This issue affects WP Ticket Ultra Help Desk & Support Plugin: from n/a through <= 1.0.5.
CVE-2024-44017HigOct 2, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in MinHyeong Lim MH Board mh-board allows PHP Local File Inclusion.This issue affects MH Board: from n/a through <= 1.3.2.1.
CVE-2024-44825HigSep 25, 2024
risk 0.49cvss 7.5epss 0.02
Directory Traversal vulnerability in Centro de Tecnologia da Informaco Renato Archer InVesalius3 v3.1.99995 allows attackers to write arbitrary files unto the system via a crafted .inv3 file.
CVE-2024-38816HigSep 13, 2024
risk 0.49cvss 7.5epss 0.94
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty
CVE-2024-43022HigAug 21, 2024
risk 0.49cvss 7.5epss 0.00
An issue in the downloader.php component of TOSEI online store management system v4.02, v4.03, and v4.04 allows attackers to execute a directory traversal.
CVE-2024-43345HigAug 19, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PluginOps Landing Page Builder allows PHP Local File Inclusion.This issue affects Landing Page Builder: from n/a through 1.5.2.0.
CVE-2024-41695HigJul 30, 2024
risk 0.49cvss 7.5epss 0.01
Cybonet - CWE-22: Improper Limitation of a Pathname to a Restricted Directory
CVE-2024-36527MedJun 17, 2024
risk 0.49cvss 6.5epss 0.89
puppeteer-renderer v.3.2.0 and before is vulnerable to Directory Traversal. Attackers can exploit the URL parameter using the file protocol to read sensitive information from the server.
CVE-2024-5637HigJun 7, 2024
risk 0.49cvss 7.5epss 0.06
The Market Exporter plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'remove_files' function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use path traversal to delete arbitrary files on the server.
CVE-2023-49753HigMay 17, 2024
risk 0.49cvss 7.5epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in spoonthemes Adifier System allows PHP Local File Inclusion.This issue affects Adifier System: from n/a before 3.1.4.
CVE-2023-35881HigMay 17, 2024
risk 0.49cvss 7.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WooCommerce WooCommerce One Page Checkout allows PHP Local File Inclusion.This issue affects WooCommerce One Page Checkout: from n/a through 2.3.0.
CVE-2023-23700HigMay 17, 2024
risk 0.49cvss 7.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OceanWP allows PHP Local File Inclusion.This issue affects OceanWP: from n/a through 3.4.1.
CVE-2023-40297HigMay 15, 2024
risk 0.49cvss 7.5epss 0.03
Stakater Forecastle 1.0.139 and before allows %5C../ directory traversal in the website component.