Directory traversal

Directory Traversal in filebrowser in Seagate NAS OS 4.3.15.1 allows attackers to read files within the application's container via a URL path...

CVE-2018-12297

Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names...

CVE-2018-12297

Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names...

CVE-2018-12297

CVE-2018-12297 affects Seagate NAS OS 4.3.15.1 with XSS in API error pages via URL path names. Root cause cited as insufficient validation of client data by the WEB application; impact is client-side script execution. Exploitation details/works are not provided in the documents; no remediation/ve...

CVE-2019-9901

CVE-2019-9901 affects Envoy 1.9.0 and earlier. The vulnerability arises because Envoy does not normalize HTTP URL paths, allowing a remote attacker to craft a relative path (e.g., something/../admin) to bypass access controls and cause a backend to interpret a non-normalized path, potentially gra...

CVE-2019-9901

A flaw was found in Envoy version 1.9.0 and older, where Envoy does not normalize HTTP URL paths. This flaw allows a remote attacker to craft a path with a relative path and to bypass access control. This issue results in a backend server with the ability to interpret the unnormalized path...

Apache 2.4.x < 2.4.39 Multiple Vulnerabilities

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.39. It is, therefore, affected by multiple vulnerabilities: - A privilege escalation vulnerability exists in module scripts due to an ability to execute arbitrary code as the parent process by...

DEBIAN-CVE-2019-9947

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...

CVE-2018-19934

SolarWinds Serv-U FTP Server 15.1.6.25 has reflected cross-site scripting XSS in the Web management interface via URL path and HTTP POST parameter...

Directory Traversal in bitty

Affected versions of bitty are vulnerable to directory traversal via the URL path in GET requests. Recommendation The bitty package is not currently maintained, and has not seen an update since 2015. At this time, the best available mitigation is to use an alternative module that is actively...

mcstatic directory traversal vulnerability

A server directory traversal vulnerability was found on node module mcstatic =0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path...

SolarWinds Serv-U FTP 15.1.6.25 Cross Site Scripting

Issue: Reflected Cross-Site Scripting CVE: CVE-2018-19934 Security researcher: Chris Moberly @ The Missing Link Security Product name: Serv-U FTP Server Product version: Tested on 15.1.6.25 current as of Dec 2018 Fixed in: Serv-U 15.1.6 hotfix 3 Overview The Serv-U FTP Server is vulnerable to a...

SolarWinds Serv-U FTP 15.1.6.25 Cross Site Scripting Vulnerability

Exploit for windows platform in category web applications Issue: Reflected Cross-Site Scripting CVE: CVE-2018-19934 Security researcher: Chris Moberly @ The Missing Link Security Product name: Serv-U FTP Server Product version: Tested on 15.1.6.25 current as of Dec 2018 Fixed in: Serv-U 15.1.6...

CVE-2018-16482

A server directory traversal vulnerability was found on node module mcstatic =0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path...

Directory traversal

A server directory traversal vulnerability was found on node module mcstatic =0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path...

CVE-2018-16482

A server directory traversal vulnerability was found on node module mcstatic =0.0.20 that would allow an attack to access sensitive information in the file system by appending slashes in the URL path...

Cross-site Scripting (XSS)

cups is vulnerable to cross-site scripting XSS attacks. The vulnerability exists as scheduler/client.c in Common Unix Printing System CUPS before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the ispathabsolute function...

CVE-2018-14704

Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path...

CVE-2018-13022

Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path...

CVE-2018-13022

Cross-site scripting vulnerability in the API 404 page on Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary JavaScript via a modified URL path...