CVE-2019-12479
https://notcve.org/view.php?id=CVE-2019-12479
An issue was discovered in 20|20 Storage 2.11.0. A Path Traversal vulnerability in the TwentyTwenty.Storage library in the LocalStorageProvider allows creating and reading files outside of the specified basepath. If the application using this library does not sanitize user-supplied filenames, then this issue may be exploited to read or write arbitrary files. This affects LocalStorageProvider.cs. Se descubrió un problema en 20|20 Storage 2.11.0. • https://security401.com/twentytwenty-storage-path-traversal • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-17831
https://notcve.org/view.php?id=CVE-2017-17831
GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a "url =" line in a .lfsconfig file within a repository. GitHub Git LFS en versiones anteriores a la 2.1.1 permite que los atacantes remotos ejecuten comandos arbitrarios mediante una URL ssh con un carácter guión inicial en el nombre del host, que se encuentra en una línea "url =" en un archivo .lfsconfig dentro de un repositorio. • http://blog.recurity-labs.com/2017-08-10/scm-vulns http://www.securityfocus.com/bid/102926 https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2018-01-24-942834324.html https://github.com/git-lfs/git-lfs/pull/2242 https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1 • CWE-20: Improper Input Validation •
CVE-2015-5502
https://notcve.org/view.php?id=CVE-2015-5502
The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not properly restrict access to Storage API fields attached to entities that are not nodes, which allows remote attackers to have unspecified impact via unknown vectors. Vulnerabilidad en el módulo Storage API 7.x-1.x en versiones anteriores a 7.x-1.8 para Drupal, no restringe adecuadamente el acceso a campos Storage API adjuntos a entidades que no son nodos, lo que permite a atacantes remotos tener un impacto no especificado a través de vectores desconocidos. • http://www.openwall.com/lists/oss-security/2015/07/04/4 http://www.securityfocus.com/bid/74867 https://www.drupal.org/node/2495895 https://www.drupal.org/node/2495903 • CWE-284: Improper Access Control •