WordPress plugin WPIDE 路径遍历漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A path traversal...

PT-2022-15562 · WordPress · Wpide

Name of the Vulnerable Software and Affected Versions: WPIDE WordPress plugin versions prior to 3.0 Description: The issue arises from the lack of sanitization and validation of the filename parameter before it is used in a require statement within the admin dashboard, leading to a Local File...

HTMLy 路径遍历漏洞

HTMLy is a PHP-based open source blogging platform. HTMLy v2.8.1 version of a path traversal vulnerability, the vulnerability stems from the presence of arbitrary file deletion in its viewsackup.html.php component...

CVE-2022-37076

TOTOLINK A7000R V9.1.0u.6115B20201022 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile...

CVE-2022-36486

TOTOLINK N350RT V9.3.5u.6139B20201216 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile...

CVE-2022-36460

TOTOLINK A3700R V9.1.2u.6134B20201202 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile...

Command injection

TOTOLINK A3700R V9.1.2u.6134B20201202 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile...

CVE-2022-37076

TOTOLINK A7000R V9.1.0u.6115B20201022 was discovered to contain a command injection vulnerability via the FileName parameter in the function UploadFirmwareFile...

CVE-2022-37076

Totolink A7000R devices running V9.1.0u.6115_B20201022 are affected by a command-injection vulnerability in the UploadFirmwareFile function, exploitable via the FileName parameter. According to multiple sources (NVD, Red Hat advisory, CNNVD, PT-Research), the flaw is a local issue with high impac...

CVE-2022-32427

PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content. This issue has been resolved in PrinterLogic Windows Client...

CVE-2022-32427

PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content. This issue has been resolved in PrinterLogic Windows Client...

TOTOLINK N350RT 操作系统命令注入漏洞

The TOTOLINK N350RT is a small home router from China's Gion Electronics TOTOLINK. An operating system command injection vulnerability exists in the TOTOLINK N350RT version V9.3.5u.6139B20201216, which stems from a command injection issue with the FileName parameter of the UploadFirmwareFile meth...

PT-2022-23383 · Totolink · Totolink A3700R

Name of the Vulnerable Software and Affected Versions: TOTOLINK A3700R version 9.1.2u.6134 B20201202 Description: A command injection issue was found in the UploadFirmwareFile function via the FileName parameter. Recommendations: For version 9.1.2u.6134 B20201202, avoid using the FileName paramet...

CVE-2022-36031 Unhandled exception on illegal filename_disk value

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filenamedisk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15....

Malicious code in saniibe-filename (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d19bc3ef2771b6d5cf1f86fb61546632bb20d05e9ba7a9c5d6edeb598eade4d6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-5928 Malicious code in saniibe-filename (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d19bc3ef2771b6d5cf1f86fb61546632bb20d05e9ba7a9c5d6edeb598eade4d6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2022-23129 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions prior to 9.15.0 Description: The Directus process can be aborted by having an authorized user update the filename disk value to a folder and accessing that file through the "/assets" endpoint. This issue has been patched and...

Zoo Management System 代码问题漏洞

Zoo Management System is a zoo management system by Carlo Montero, an individual developer. It provides an online and automated platform for zoo organizations to manage their daily records. A code issue vulnerability exists in Zoo Management System. An attacker could exploit the vulnerability by...

GHSA-8X94-HMJH-97HQ Django vulnerable to Reflected File Download attack

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input...

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example overwrite the .ssh/authorized_keys file).

...