Lucene search
K

15 matches found

OSV
OSV
added 2026/06/12 9:53 p.m.8 views

GHSA-GXJX-7M74-HCQ8 File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames

Summary filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes \ is only a path separator on Windows. A file whose name contains Windows-style traversal ......\evil.txt is accepted by the resource...

6.2CVSS5.7AI score0.00189EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/04/16 11:28 p.m.6 views

SUSE CVE-2026-34242

Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17...

7.7CVSS5.7AI score0.00465EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/16 8:43 p.m.6 views

EUVD-2026-23003

Weblate: Arbitrary File Read via Symlink...

7.7CVSS5.8AI score0.00465EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 8:43 p.m.4 views

Symlink Attack

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Symlink Attack in the ZIP download. An attacker can access arbitrary files outside the intended repository by exploiting symlink traversal...

8.5CVSS5.9AI score0.00465EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/11/25 11:38 p.m.9 views

CVE-2025-65963 CFiles Unauthorized Folder/ZIP Access in Public Spaces

Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has bee...

5.4CVSS0.00157EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/11/21 5:29 p.m.10 views

CVE-2025-62724

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" TOCTOU attack when downloading zip files to access files outside of the OODALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all curre...

4.3CVSS6.8AI score0.00182EPSS
Exploits0References1
NVD
NVD
added 2025/11/20 5:15 p.m.5 views

CVE-2025-62724

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" TOCTOU attack when downloading zip files to access files outside of the OODALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all curre...

4.3CVSS0.00182EPSS
Exploits0References1
EUVD
EUVD
added 2025/11/20 4:53 p.m.3 views

EUVD-2025-198294

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" TOCTOU attack when downloading zip files to access files outside of the OODALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all curre...

4.3CVSS6.4AI score0.00182EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/11/20 4:53 p.m.9 views

CVE-2025-62724 Open OnDemand allowlist bypass using symlinks in directory downloads (TOCTOU)

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" TOCTOU attack when downloading zip files to access files outside of the OODALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all curre...

4.3CVSS0.00182EPSS
Exploits0References1
OSV
OSV
added 2025/11/20 4:53 p.m.5 views

CVE-2025-62724 Open OnDemand allowlist bypass using symlinks in directory downloads (TOCTOU)

Open OnDemand is an open-source HPC portal. Prior to versions 4.0.8 and 3.1.16, users can craft a "Time of Check to Time of Use" TOCTOU attack when downloading zip files to access files outside of the OODALLOWLIST. This vulnerability impacts sites that use the file browser allowlists in all curre...

4.3CVSS6.8AI score0.00182EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/11/20 12:0 a.m.5 views

PT-2025-47604

Name of the Vulnerable Software and Affected Versions Open OnDemand versions prior to 4.0.8 Open OnDemand versions prior to 3.1.16 Description Open OnDemand is an open-source HPC portal. Users can potentially exploit a “Time of Check to Time of Use” TOCTOU condition when downloading zip files,...

4.3CVSS6.5AI score0.00182EPSS
Exploits0References4
HackRead
HackRead
added 2024/03/05 10:13 a.m.25 views

New CHAVECLOAK Banking Trojan Targets Brazilians via Malicious PDFs

By Deeba Ahmed The CHAVECLOAK banking Trojan employs PDFs, ZIP downloads, DLL sideloading, and deceptive pop-ups to target Brazil's unsuspecting banking users financial sector. This is a post from HackRead.com Read the original post: New CHAVECLOAK Banking Trojan Targets Brazilians via Malicious...

7.2AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2022/06/24 3:15 p.m.9 views

CVE-2022-21829

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concretesecure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http...

9.8CVSS7.5AI score0.01681EPSS
Exploits0References6
CNNVD
CNNVD
added 2022/06/24 12:0 a.m.4 views

PortlandLabs Concrete Cms 安全漏洞

PortlandLabs Concrete Cms is a team-oriented open source content management system from PortlandLabs, Inc. A remote code execution vulnerability exists in PortlandLabs Concrete Cms, which stems from the ability to download zip files over HTTP and execute from those zip files, which could be...

9.8CVSS6.7AI score0.01681EPSS
Exploits0References4
CNVD
CNVD
added 2018/05/31 12:0 a.m.4 views

strider-sauce code execution vulnerability

strider-sauce is a package for installing and deploying Strider. A security vulnerability exists in strider-sauce that originates when the program downloads compressed resources over the HTTP protocol. A remote attacker could exploit the vulnerability by replacing the requested zip file with a zi...

9.3CVSS7.1AI score0.01752EPSS
Exploits0References1
Rows per page
Query Builder