252 matches found
CVE-2025-52574
SysmonElixir is a system monitor HTTP service in Elixir. Prior to version 1.0.1, the /read endpoint reads any file from the server's /etc/passwd by default. In v1.0.1, a whitelist was added that limits reading to only files under priv/data. This issue has been patched in version 1.0.1...
PT-2025-25540 · Wago +1 · Cc100 0751-9X01 +17
Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A web application for configuring the controller is accessible at a specific path. It contains an endpoint that allows an unauthenticated remote attacker to read files from the system’s file...
CVE-2025-48998 Dataease MYSQL JDBC File Reading Vulnerability
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. ...
CVE-2024-22096
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can append path traversal characters to the filename when using a specific command, allowing them to read arbitrary files from the system...
CVE-2024-10585
The InfiniteWP Client plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.13.0 via the 'historyID' parameter of the /debug-chart/index.php file. This makes it possible for unauthenticated attackers to read .txt files outside of the intended directory...
CVE-2023-39912
Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed...
CVE-2023-46863
Peppermint Ticket Management before 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/users/file/download?filepath=./../ POST request...
CVE-2023-46170
IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to arbitrarily read files after enumerating file names...
CVE-2022-34127
The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter...
CVE-2022-32320
A Cross-Site Request Forgery CSRF in Ferdi through 5.8.1 and Ferdium through 6.0.0-nightly.98 allows attackers to read files via an uploaded file such as a settings/preferences file...
CVE-2022-40705
An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This...
CVE-2022-40734
UniSharp laravel-filemanager aka Laravel Filemanager before 2.6.4 allows download?workingdir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0...
CVE-2022-28921
A Cross-Site Request Forgery CSRF vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server...
CVE-2022-28462
novel-plus 3.6.0 suffers from an Arbitrary file reading vulnerability...
CVE-2022-22726
A CWE-20: Improper Input Validation vulnerability exists that could allow arbitrary files on the server to be read by authenticated users through a limited operating system service account. Affected Product: EcoStruxure Power Monitoring Expert Versions 2020 and prior...
CVE-2022-24372
Linksys MR9600 devices before 2.0.5 allow attackers to read arbitrary files via a symbolic link to the root directory of a NAS SMB share...
CVE-2021-37442
NCH IVM Attendant v5.12 and earlier allows path traversal via viewfile?file=/.. to read files...
CVE-2021-24947
The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvmuploadregionsfilepath parameter in the rvmimportregions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server...
CVE-2020-19954
An XML External Entity XXE vulnerability was discovered in /api/notify.php in S-CMS 3.0 which allows attackers to read arbitrary files...
CVE-2020-15507
An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0 that allows remote attackers to read files on the system via unspecified vectors...