Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. Streamlit is a data oriented application development framework for python. There is no known workaround for this issue. Parent directory traversal is not impacted. Affected versions of sanic allow access to lateral directories when using `app.static` if using encoded `%2F` URLs. Sanic is an opensource python web server/framework. via /coreframe/app/attachment/admin/index.php: An attacker with authenticated access to a NetBackup Client could arbitrarily create directories on a NetBackup Primary server.Ī directory traversal vulnerability was discovered in Wuzhicms 4.1.0. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.Īn issue was discovered in Veritas NetBackup 8.1.x through 8.1.2, 8.2, 8.3.x through 8.3.0.2, 9.x through 9.0.0.1, and 9.1.x through 9.1.0.1 (and related NetBackup products).
By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution.
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose the contents of files located outside of the server's restricted path. A successful exploit could allow the attacker to extract usernames and hashed passwords.įLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains the path of the SQLite users database and download it. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.Īll FLIR AX8 thermal sensor cameras version up to and including 1.46.16 are affected by an insecure design vulnerability due to an improper directory access restriction. This affects Payara Server, Payara Micro, and Payara Server Embedded.Īn issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. Payara through 5.2022.2 allows directory traversal without authentication. Neo4j APOC (Awesome Procedures on Cypher) before 4.3.0.7 and 4.x before 4.4.0.8 allows Directory Traversal to sibling directories via.