CVE-2018-20685

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side...

CVE-2018-0635

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via filename parameter...

CVE-2018-0635

Aterm HC100RC Ver1.0.1 and earlier allows attacker with administrator rights to execute arbitrary OS commands via filename parameter...

RATELIMITED: Apache mod_negotiation filename bruteforcing https://api.ratelimited.me

The Apache modnegotiation module allowed for filename bruteforcing and information disclosure through a 406 Not Acceptable error response. This vulnerability has been fixed by disabling the MultiViews directive in Apache's configuration file and restarting the server...

CVE-2018-20166

A file-upload vulnerability exists in Rukovoditel 2.3.1. index.php?module=configuration/save allows the user to upload a background image, and mishandles extension checking. It accepts uploads of PHP content if the first few characters match GIF data, and the filename ends in ".php" with mixed...

Potential RCE if filename starts with phar://

More info at https://pear.php.net/bugs/bug.php?id=23782...

Potential RCE if filename starts with phar://

More info at https://pear.php.net/bugs/bug.php?id=23782...

CVE-2018-20129

An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/selectimagespost.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the...

DEBIAN-CVE-2018-16867

A flaw was found in qemu Media Transfer Protocol MTP before version 3.1.0. A path traversal in the in usbmtpwritedata function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lea...

CVE-2018-16867

A flaw was found in qemu Media Transfer Protocol MTP before version 3.1.0. A path traversal in the in usbmtpwritedata function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lea...

CVE-2018-19908

Affected software: MISP 2.4.9x (pre-2.4.99). In the STIX 1 import path, the code in app/Model/Event.php uses an unescaped filename string to build a shell command. This enables an authenticated attacker to modify the STIX import filename to inject and execute arbitrary commands. Exploitation deta...

CVE-2018-12311

Cross-site scripting vulnerability in File Explorer in ASUSTOR ADM version 3.1.1 allows attackers to execute arbitrary JavaScript when a file is moved via a malicious filename...

CVE-2018-12316

OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter...

CVE-2018-12316

OS Command Injection in upload.cgi in ASUSTOR ADM version 3.1.1 allows attackers to execute system commands by modifying the filename POST parameter...

CVE-2018-7116

HPE Intelligent Management Center IMC prior to IMC PLAT 7.3 E0605P06 is vulnerable to a remote denial of service via dbman Opcode 10003 'Filename'. This problem is resolved in IMC PLAT 7.3 E0605P06 or subsequent versions...

HPE Intelligent Management Center Buffer Overflow Vulnerability (CNVD-2019-00114)

HPE Intelligent Management Center iMC PLAT is a suite of network intelligent management center solutions from Hewlett Packard Enterprise HPE. The solution provides network-wide visibility and enables comprehensive management of resources, services and users. A security vulnerability exists in Dbm...

TerraMaster TOS Cross-Site Scripting Vulnerability

TerraMaster TOS is a set of storage server special operating system based on Linux platform developed by Terra Master. The system supports file sharing, cloud data synchronization, data backup and virtualization, etc. Text Editor is one of the text editor. A cross-site scripting vulnerability...

CVE-2018-13360

Cross-site scripting in Text Editor in TerraMaster TOS version 3.1.03 allows attackers to execute JavaScript via the "filename" URL parameter...

CVE-2018-6075

Incorrect handling of specified filenames in file downloads in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page and user interaction...

httpd: <FilesMatch> bypass with a trailing newline in the file name

In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the...