CVE-2024-12019

HIGH Year: 2024
Weakness Type
CWE-23
View all →

Vulnerability Description

The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exploit the vulnerability. Exploitation of this vulnerability would allow an attacker to read the contents of any file available within the privileges of the system user running the application.

Related Vulnerabilities

CVE-2023-2356

CRITICAL
CVSS:10.0(Critical)

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

CWE-232023

CVE-2023-3941

CRITICAL
CVSS:10.0(Critical)

Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X...

CWE-232023

CVE-2024-0520

CRITICAL
CVSS:10.0(Critical)

A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS command ('Command Injection') within the `mlflow.data.h...

CWE-232024

CVE-2024-24578

CRITICAL
CVSS:10.0(Critical)

RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. RaspberryMatic / OCCU prior to version 3.75.6.20240316 contains a unauthenticated remote code execution (RCE...

CWE-232024

CVE-2023-40714

CRITICAL
CVSS:9.9(Critical)

A relative path traversal in Fortinet FortiSIEM versions 7.0.0, 6.7.0 through 6.7.2, 6.6.0 through 6.6.3, 6.5.1, 6.5.0 allows attacker to escalate privilege via uploading certain GUI elements

CWE-232023

CVE-2024-3025

CRITICAL
CVSS:9.9(Critical)

mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by...

CWE-232024