11 matches found
CVE-2026-31978 motionEye: Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
motionEye mEye is an online interface for motion software, which is a video surveillance program with motion detection. Versions prior to 0.44.0 are vulnerable to path traversal in the picture and movie API endpoints, suhc as /picture/id/preview/filename. Neither the API handlers, nor the...
CVE-2026-31978
Summary: CVE-2026-31978 affects motionEye (pre-0.44.0). A path traversal flaw in the picture/movie preview endpoints (/picture/{id}/preview/{filename}) allows an authenticated, non-admin user to read arbitrary files on the host filesystem via the get_media_preview() path, since it doesn’t check f...
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join. When an absolute...
GHSA-RW9Q-97R9-8GVH motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join. When an absolute...
motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint
Summary motionEye v0.43.1 latest stable is vulnerable to path traversal in the picture and movie API endpoints, like /picture/id/preview/filename. Neither the API handlers, nor the mediafiles.py functions like getmediapreview check for .. sequences in the filename parameter, except getmediaconten...
PT-2026-51430
Name of the Vulnerable Software and Affected Versions motionEye version 0.43.1 Description An absolute path traversal issue exists in the picture and movie API endpoints, such as '/picture/id/preview/filename'. The vulnerability occurs because the API handlers and functions get media preview and...
CVE-2021-30172
Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...
Cross site scripting
Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...
CVE-2021-30172
CVE-2021-30172 affects the Jun-He/Quan-Fang-Wei-Tong-Xun system: special characters on the image preview page input are not filtered, enabling a remote authenticated attacker to inject JavaScript via reflected XSS and access/manipulate customer information. Connected sources confirm the XSS vecto...
CVE-2021-30172 Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Reflected XSS
Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...
U-Mail the latest version of the arbitrary File Download vulnerability-vulnerability warning-the black bar safety net
The problem occurs is in the picture preview of the place code area http://192.168.1.24/webmail/client/mail/index. php? module=operate&action=attach-img-preview&durl=1. gif&type=application/octet-stream The key code is as follows: code area if ACTION == "attach-img-preview" $downloadurl =...