EUVD-2020-30993

webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated backup files in the companies/weberp/ directory by requesting the Backuptimestamp.sql.gz file...

CVE-2020-37082

Summary: CVE-2020-37082 affects webERP 4.15.1 and describes an unauthenticated backup file access flaw. Attackers can directly request and download generated backup files (Backup_[timestamp].sql.gz) from the companies/weberp/ directory without authentication, enabling remote file retrieval via ne...

webERP 安全漏洞

webERP is an open-source ERP system developed by Tim Schofield. It supports inventory management, permission role management, order management, and financial management. Version 4.15.1 of webERP contains a security vulnerability caused by an unverified file access flaw. Attackers can directly...

CVE-2025-15545 Insufficient Backup File Upload Input Validation on TP-Link Archer RE605X

The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attack...

CVE-2025-15545 Insufficient Backup File Upload Input Validation on TP-Link Archer RE605X

The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attack...

HPE Aruba Networking Fabric Composer security vulnerabilities

HPE Aruba Networking Fabric Composer is a network orchestration software developed by the American company HPE. HPE Aruba Networking Fabric Composer has a security vulnerability, which stems from unsafe file operations related to the backup function. This vulnerability could allow authenticated...

Runtipi operating system command injection vulnerability

Runtipi – A Personal Home Server for Everyone is an open-source home server developed by Runtipi. Versions of Runtipi 3.7.0 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from improper handling of backup file names, which could allo...

CVE-2025-55125

This vulnerability allows a Backup or Tape Operator to perform remote code execution RCE as root by creating a malicious backup configuration file...

CVE-2021-22488

There is an Unauthorized file access vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability by modifying soft links may tamper with the files restored from backups...

CVE-2022-0833

The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file...

CVE-2019-16155

A privilege escalation vulnerability in FortiClient for Linux 6.2.1 and below may allow a user with low privilege to overwrite system files as root with arbitrary content through system backup file via specially crafted "BackupConfig" type IPC client requests to the fctsched process. Further more...

CVE-2024-2567

UNSUPPORTED WHEN ASSIGNED A vulnerability, which was classified as problematic, was found in jurecapuder AndroidWeatherApp 1.0.0 on Android. Affected is an unknown function of the file androidmanifest.xml of the component Backup File Handler. The manipulation leads to exposure of backup file to a...

CVE-2025-13698

Deciso OPNsense diagbackup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to exploit this vulnerability. The specific fl...

CVE-2023-53974

D-Link DSL-124 ME1.00 contains a configuration file disclosure vulnerability that allows unauthenticated attackers to retrieve router settings through a POST request. Attackers can send a specific POST request to the router's configuration endpoint to download a complete backup file containing...

CVE-2023-53739 Tinycontrol LAN Controller v3 LK3 1.58a Unauthenticated Configuration Backup Disclosure

Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3settings.bin file and extract base64-encoded user and admin passwords witho...

PT-2025-50266

Name of the Vulnerable Software and Affected Versions Tinycontrol LAN Controller v3 LK3 version 1.58a Description The Tinycontrol LAN Controller v3 LK3 version 1.58a has an issue that allows remote attackers to download configuration backup files containing sensitive credentials without...

CVE-2025-10304

The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the processstatusunlink function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated...

Grav is vulnerable to a DOS on the admin panel

DOS on the admin panel Severity Rating: Medium Vector: Denial Of Service CVE: XXX CWE: 400 - Uncontrolled Resource Consumption CVSS Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Analysis A Denial of Service DoS vulnerability has been identified in the application related to...

CVE-2025-66303

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service DoS vulnerability has been identified in Grav related to the handling of scheduledat parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduledat...

CVE-2025-66303 Grav is vulnerable to a DOS on the admin panel

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service DoS vulnerability has been identified in Grav related to the handling of scheduledat parameters. Specifically, the application fails to properly sanitize input for cron expressions. By manipulating the scheduledat...