666 matches found
CVE-2024-7043
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all...
CVE-2024-7043 Improper Access Control in open-webui/open-webui
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all...
CVE-2024-7631
A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint's lng and ns parameters are used to construct a filepath in pkg/plugins/handlers unsafely.goL112 Because of this unsafe filepath construction, an...
CVE-2024-7631
OpenShift Console CVE-2024-7631 describes a path traversal flaw in the locales/resources.json endpoint where lng/ns are used to build a file path in pkg/plugins/handlers unsafely.go, allowing an authenticated user to read arbitrary JSON files on the console pod by using ../ sequences. Connected d...
Security Bulletin: IBM Security QRadar EDR could allow Unauthorized File Retrieval via SMB (CVE-2024-45644)
Summary IBM Security QRadar EDR allows SMB file downloads, restricted to Administrator and Responder accounts. This behavior follows Windows OS defaults, and documentation will be updated to recommend NTLM restrictions and least privilege access controls. Vulnerability Details CVEID:CVE-2024-4564...
CVE-2025-27101 Broken Access Control in Opal filesystem's copy functionality exposes all user data
Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, when copying any parent directory to a folder in the /temp/ directory, all files in that parent directory are copied, including files which the user should not have access to. All users of t...
CVE-2025-1936
CVE-2025-1936 is a Firefox/Thunderbird vulnerability where jar: URLs used to retrieve local ZIP contents could misclassify content due to a null-termination issue in the archive, potentially enabling disguised code in a web extension. Affected: Firefox before 136, Firefox ESR before 128.8, Thunde...
CVE-2025-24843
Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data...
CVE-2025-24843
Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data...
CVE-2025-24843
CVE-2025-24843 affects the Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application. The issue is an insecure file retrieval process that could enable file manipulation, impacting the confidentiality, integrity, authenticity and attestation of stored data and potentially...
Dario Health 安全漏洞
Dario Health is a software from Dario Health that provides digital health solutions for people with chronic conditions. Dario Health has a security vulnerability that stems from an insecure file retrieval process that could lead to file manipulation, impacting product stability and data...
PT-2025-9119 · Dario Health · Dario Application Database/Internet-Based Server Infrastructure +1
Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue concerns an insecure file retrieval process. This process may facilitate the potential for file manipulation, which could affect product stability and the confidentiality, integrit...
CVE-2025-25224
The LuxCal Web Calendar prior to 5.3.3M MySQL version and prior to 5.3.3L SQLite version contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained...
CVE-2024-44336
An issue in AnkiDroid Android Application v2.17.6 allows attackers to retrieve internal files from the /data/data/com.ichi2.anki/ directory and save it into publicly available storage...
CVE-2024-44336
AnkiDroid Android Application v2.17.6 is affected by CVE-2024-44336, where an attacker can retrieve internal files from the directory /data/data/com.ichi2.anki/ and copy them to publicly accessible storage. The connected PT-2025-6409 entry corroborates the affected version and indicates that ther...
CVE-2024-44336
An issue in AnkiDroid Android Application v2.17.6 allows attackers to retrieve internal files from the /data/data/com.ichi2.anki/ directory and save it into publicly available storage...
CVE-2020-15099
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, in a case where an attacker manages to generate a valid cryptographic message authentication code HMAC-SHA1 - either by using a different existing vulnerability or in case t...
CVE-2020-6366
SAP NetWeaver Compare Systems versions - 7.20, 7.30, 7.40, 7.50, does not sufficiently validate uploaded XML documents. An attacker with administrative privileges can retrieve arbitrary files including files on OS level from the server and/or can execute a denial-of-service...
CVE-2024-46898
SHIRASAGI prior to v1.19.1 processes URLs in HTTP requests improperly, resulting in a path traversal vulnerability. If this vulnerability is exploited, arbitrary files on the server may be retrieved when processing crafted HTTP requests...
CVE-2024-4941
A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the postprocess function within gradio/components/jsoncomponent.py, where a user-controlled string is parsed as JSON. If the parsed JSON...