VYPR

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (5,488)

page 45 of 275
  • CVE-2024-32778HigJun 9, 2024
    risk 0.50cvss 7.7epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.4.

  • CVE-2024-34060HigMay 23, 2024
    risk 0.50cvss 8.8epss 0.01

    IrisEVTXModule is an interface module for Evtx2Splunk and Iris in order to ingest Microsoft EVTX log files. The `iris-evtx-module` is a pipeline plugin of `iris-web` that processes EVTX files through IRIS web application. During the upload of an EVTX through this pipeline, the…

  • CVE-2024-35186HigMay 23, 2024
    risk 0.50cvss 8.8epss 0.01

    gitoxide is a pure Rust implementation of Git. During checkout, `gix-worktree-state` does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application. This vulnerability leads…

  • CVE-2023-26526HigMay 17, 2024
    risk 0.50cvss 7.7epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Nota-Info Bookly allows Path Traversal, Manipulating Web Input to File System Calls.This issue affects Bookly: from n/a through 21.7.1.

  • CVE-2022-45368HigMay 17, 2024
    risk 0.50cvss 7.7epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Lenderd 1003 Mortgage Application allows Relative Path Traversal.This issue affects 1003 Mortgage Application: from n/a through 1.75.

  • CVE-2024-1630HigMay 14, 2024
    risk 0.50cvss 7.7epss 0.00

    Path traversal vulnerability in “getAllFolderContents” function of Common Service Desktop, a GE HealthCare ultrasound device component

  • CVE-2024-31240HigApr 10, 2024
    risk 0.50cvss 7.7epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in InfoTheme WP Poll Maker.This issue affects WP Poll Maker: from n/a through 3.1.

  • CVE-2024-1974HigApr 9, 2024
    risk 0.50cvss 8.8epss 0.01

    The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.6 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to read the…

  • CVE-2024-24042HigMar 19, 2024
    risk 0.50cvss 8.8epss 0.01

    Directory Traversal vulnerability in Devan-Kerman ARRP v.0.8.1 and before allows a remote attacker to execute arbitrary code via the dumpDirect in RuntimeResourcePackImpl component.

  • CVE-2024-1358HigMar 13, 2024
    risk 0.50cvss 8.8epss 0.01

    The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of…

  • CVE-2023-47890HigJan 8, 2024
    risk 0.50cvss 8.8epss 0.01

    pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.

  • CVE-2023-6753HigDec 13, 2023
    risk 0.50cvss 8.8epss 0.01

    Path Traversal in GitHub repository mlflow/mlflow prior to 2.9.2.

  • CVE-2023-49089HigDec 12, 2023
    risk 0.50cvss 7.7epss 0.01

    Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10,…

  • CVE-2023-30626HigApr 24, 2023
    risk 0.50cvss 8.8epss 0.02

    Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability…

  • CVE-2023-28105HigMar 16, 2023
    risk 0.50cvss 8.8epss 0.01

    go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been…

  • CVE-2023-27475HigMar 7, 2023
    risk 0.50cvss 8.8epss 0.01

    Goutil is a collection of miscellaneous functionality for the go language. In versions prior to 0.6.0 when users use fsutil.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. This vulnerability is known as a ZipSlip. This issue has been…

  • CVE-2022-34271HigDec 14, 2022
    risk 0.50cvss 8.8epss 0.01

    A vulnerability in import module of Apache Atlas allows an authenticated user to write to web server filesystem. This issue affects Apache Atlas versions from 0.8.4 to 2.2.0.

  • CVE-2022-34254HigAug 16, 2022
    risk 0.50cvss 8.8epss 0.02

    Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could be abused by an attacker to inject malicious scripts into the…

  • CVE-2021-33036HigJun 15, 2022
    risk 0.50cvss 8.8epss 0.03

    In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

  • CVE-2022-1993HigJun 9, 2022
    risk 0.50cvss 8.1epss 0.51

    Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.