CWE-22— Path Traversal
8,243 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-22page 58 of 165
- CVE-2019-7160CRITICALCVSS 9.8EG 9.82019-01-29
idreamsoft iCMS 7.0.13 allows admincp.php?app=files ../ Directory Traversal via the udir parameter to files.admincp.php, resulting in execution of arbitrary PHP code from a ZIP file via the admincp.php?app=apps zipfile parameter to apps.ad…
- CVE-2019-7194CRITICALCVSS 9.8EG 9.8⚠ KEV2019-12-05
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
- CVE-2019-7195CRITICALCVSS 9.8EG 9.8⚠ KEV2019-12-05
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
- CVE-2019-7213MEDIUMCVSS 6.5EG 6.52019-04-24
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execu…
- CVE-2019-7227HIGHCVSS 7.3EG 7.32019-06-27
In the ABB IDAL FTP server, an authenticated attacker can traverse to arbitrary directories on the hard disk with "CWD ../" and then use the FTP server functionality to download and upload files. An unauthenticated attacker can take advant…
- CVE-2019-7234CRITICALCVSS 9.1EG 9.12019-01-30
An issue was discovered in idreamsoft iCMS 7.0.13. admincp.php?app=apps&do=save allows directory traversal via _app=/../ to begin the process of creating a ZIP archive file with the complete contents of any directory because of an apps.adm…
- CVE-2019-7235HIGHCVSS 7.5EG 7.52019-01-30
An issue was discovered in idreamsoft iCMS 7.0.13. admincp.php?app=apps&do=save allows directory traversal via _app=/../ to designate an arbitrary directory because of an apps.admincp.php error. This directory can then be deleted via an ad…
- CVE-2019-7236HIGHCVSS 7.5EG 7.52019-01-30
An issue was discovered in idreamsoft iCMS 7.0.13. editor/editor.admincp.php allows admincp.php?app=editor&do=fileManager dir=../ Directory Traversal.
- CVE-2019-7237HIGHCVSS 7.5EG 7.52019-01-30
An issue was discovered in idreamsoft iCMS 7.0.13 on Windows. editor/editor.admincp.php allows admincp.php?app=files&do=browse ..\ Directory Traversal.
- CVE-2019-7253CRITICALCVSS 9.8EG 9.82019-07-02
Linear eMerge E3-Series devices allow Directory Traversal.
- CVE-2019-7254HIGHCVSS 7.5EG 9.02019-07-02
Linear eMerge E3-Series devices allow File Inclusion.
- CVE-2019-7267CRITICALCVSS 9.8EG 9.82019-07-02
Linear eMerge 50P/5000P devices allow Cookie Path Traversal.
- CVE-2019-7289MEDIUMCVSS 5.5EG 5.52019-12-18
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in Shortcuts 2.1.3 for iOS. A local user may be able to view senstive user information.
- CVE-2019-7315HIGHCVSS 7.5EG 7.52019-06-17
Genie Access WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera devices through 3.x are vulnerable to directory traversal via the web interface, as demonstrated by reading /etc/shadow. NOTE: this product is discontinued, and its final firmwa…
- CVE-2019-7387MEDIUMCVSS 6.5EG 6.52019-02-04
A local file inclusion vulnerability exists in the web interface of Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. When the export function is called from system/maintenance/export.php, it accepts th…
- CVE-2019-7403MEDIUMCVSS 4.9EG 4.92019-02-05
An issue was discovered in PHPMyWind 5.5. It allows remote attackers to delete arbitrary folders via an admin/database_backup.php?action=import&dopost=deldir&tbname=../ URI.
- CVE-2019-7483HIGHCVSS 7.5EG 9.0⚠ KEV2019-12-19
In SonicWall SMA100, an unauthenticated Directory Traversal vulnerability in the handleWAFRedirect CGI allows the user to test for the presence of a file on the server.
- CVE-2019-7618MEDIUMCVSS 6.5EG 6.52019-10-01
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running C…
- CVE-2019-7678CRITICALCVSS 9.8EG 9.82019-02-09
A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.
- CVE-2019-7751HIGHCVSS 7.5EG 7.52019-12-31
A directory traversal and local file inclusion vulnerability in FPProducerInternetServer.exe in Ricoh MarcomCentral, formerly PTI Marketing, FusionPro VDP before 10.0 allows a remote attacker to list or enumerate sensitive contents of file…
- CVE-2019-7859HIGHCVSS 7.5EG 7.52019-08-02
A path traversal vulnerability in the WYSIWYG editor for Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could result in unauthorized access to uploaded images due to insufficient access control.
- CVE-2019-8074CRITICALCVSS 9.8EG 9.82019-09-27
ColdFusion 2018- update 4 and earlier and ColdFusion 2016- update 11 and earlier have a Path Traversal vulnerability. Successful exploitation could lead to Access Control Bypass in the context of the current user.
- CVE-2019-8238HIGHCVSS 7.5EG 7.52019-10-23
Adobe Acrobat and Reader versions 2019.010.20100 and earlier; 2019.010.20099 and earlier versions; 2017.011.30140 and earlier version; 2017.011.30138 and earlier version; 2015.006.30495 and earlier versions; 2015.006.30493 and earlier vers…
- CVE-2019-8291HIGHCVSS 7.5EG 7.52019-10-01
Online Store System v1.0 delete_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal.
- CVE-2019-8320HIGHCVSS 7.4EG 7.42019-06-06
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that dest…
- CVE-2019-8358HIGHCVSS 8.1EG 8.12019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.
- CVE-2019-8385CRITICALCVSS 9.8EG 9.82019-06-05
An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote…
- CVE-2019-8389HIGHCVSS 8.1EG 8.12019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST para…
- CVE-2019-8395CRITICALCVSS 9.8EG 9.82019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
- CVE-2019-8407MEDIUMCVSS 6.5EG 6.52019-02-17
HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php/language/edit URI.
- CVE-2019-8411HIGHCVSS 7.5EG 7.52019-02-17
admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal.
- CVE-2019-8412HIGHCVSS 8.8EG 8.82019-02-17
FeiFeiCms 4.0.181010 on Windows allows remote attackers to read or delete arbitrary files via index.php?s=Admin-Data-Down-id-..\ or index.php?s=Admin-Data-Del-id-..\ directory traversal.
- CVE-2019-8903HIGHCVSS 7.5EG 7.52019-02-18
index.js in Total.js Platform before 3.2.3 allows path traversal.
- CVE-2019-8925MEDIUMCVSS 4.3EG 4.32019-05-17
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote a…
- CVE-2019-8943MEDIUMCVSS 6.5EG 9.02019-02-20
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such…
- CVE-2019-8952MEDIUMCVSS 6.5EG 6.52019-05-13
A Path Traversal vulnerability located in the webserver affects several Bosch hardware and software products. The vulnerability potentially allows a remote authorized user to access arbitrary files on the system via the network interface. …
- CVE-2019-9005MEDIUMCVSS 6.5EG 6.52019-04-18
The Cprime Power Scripts app before 4.0.14 for Atlassian Jira allows Directory Traversal.
- CVE-2019-9015CRITICALCVSS 9.1EG 9.12019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When…
- CVE-2019-9060HIGHCVSS 7.5EG 7.52021-09-17
An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showme…
- CVE-2019-9064MEDIUMCVSS 5.3EG 5.32019-02-23
PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file.
- CVE-2019-9106CRITICALCVSS 9.8EG 9.82019-05-31
The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to execute or include local .php files, as demonstrated by menu=php://filter/convert.base64-encode/resource=index.php…
- CVE-2019-9157MEDIUMCVSS 5.7EG 5.72019-06-05
Gemalto DS3 Authentication Server 2.6.1-SP01 allows Local File Disclosure.
- CVE-2019-9195CRITICALCVSS 9.8EG 9.82019-02-26
util/src/zip.rs in Grin before 1.0.2 mishandles suspicious files. An attacker can execute arbitrary code via directory traversal in a ZIP archive.
- CVE-2019-9222HIGHCVSS 8.1EG 8.12019-04-17
An issue was discovered in GitLab Community and Enterprise Edition before 11.6.10, 11.7.x before 11.7.6, and 11.8.x before 11.8.1. It has Insecure Permissions.
- CVE-2019-9281HIGHCVSS 7.5EG 7.52019-09-27
In GoogleContactsSyncAdapter, there is a possible path traversal due to improper input sanitization. This could lead to a bypass of user interaction requirements with no additional execution privileges needed. User interaction is not neede…
- CVE-2019-9489HIGHCVSS 7.5EG 7.52019-04-05
A directory traversal vulnerability in Trend Micro Apex One, OfficeScan (versions XG and 11.0), and Worry-Free Business Security (versions 10.0, 9.5 and 9.0) could allow an attacker to modify arbitrary files on the affected product's manag…
- CVE-2019-9607MEDIUMCVSS 5.3EG 5.32019-03-06
PHP Scripts Mall Medical Store Script 3.0.3 allows Path Traversal by navigating to the parent directory of a jpg or png file.
- CVE-2019-9610MEDIUMCVSS 4.3EG 4.32019-03-06
An issue was discovered in OFCMS before 1.1.3. It has admin/cms/template/getTemplates.html?res_path=res&up_dir=../ directory traversal, related to the getTemplates function in TemplateController.java.
- CVE-2019-9611MEDIUMCVSS 6.5EG 6.52019-03-06
An issue was discovered in OFCMS before 1.1.3. It allows admin/cms/template/getTemplates.html?res_path=res directory traversal, with ../ in the dir parameter, to write arbitrary content (in the file_content parameter) into an arbitrary fil…
- CVE-2019-9618CRITICALCVSS 9.8EG 9.82019-05-13
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
Map vulnerabilities like CWE-22 to your infrastructure
EchelonGraph correlates every CVE — across CWE-22 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →