Skip to content

Latest commit

 

History

History
334 lines (333 loc) · 45.4 KB

TOPFILEREADING.md

File metadata and controls

334 lines (333 loc) · 45.4 KB
Raw

Top File Reading reports from HackerOne:

  1. HTML-injection in PDF-export leads to LFI to Visma Public - 330 upvotes, $500
  2. Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion to Evernote - 246 upvotes, $0
  3. Misuse of an authentication cookie combined with a path traversal on app.starbucks.com permitted access to restricted data to Starbucks - 227 upvotes, $0
  4. Keybase client (Windows 10): Write files anywhere in userland using relative path in "download attachement" feature to Keybase - 196 upvotes, $5000
  5. Worker container escape lead to arbitrary file reading in host machine [again] to Semmle - 175 upvotes, $2000
  6. Path traversal in filename in LINE Mac client to LY Corporation - 168 upvotes, $0
  7. Path traversal, SSTI and RCE on a MailRu acquisition to Mail.ru - 152 upvotes, $2000
  8. XSS Reflected on reddit.com via url path to Reddit - 144 upvotes, $0
  9. Path traversal, to RCE to GitLab - 136 upvotes, $12000
  10. Directory Traversal in uftpd 2.6-2.10 to ██████ - 136 upvotes, $0
  11. [portswigger.net] Path Traversal al /cms/audioitems to PortSwigger Web Security - 126 upvotes, $0
  12. Unauthenticated LFI revealing log information to Slack - 119 upvotes, $0
  13. Wordpress unzip_file path traversal to WordPress - 114 upvotes, $0
  14. Worker container escape lead to arbitrary file reading in host machine to Semmle - 110 upvotes, $2000
  15. Zero day path traversal vulnerability in Grafana 8.x allows unauthenticated arbitrary local file read to Aiven Ltd - 103 upvotes, $1000
  16. Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 to Internet Bug Bounty - 93 upvotes, $4000
  17. Vanilla Forums AddonManager getSingleIndex Directory Traversal File Inclusion Remote Code Execution Vulnerability to Vanilla - 84 upvotes, $900
  18. Path traversal in Nuget Package Registry to GitLab - 83 upvotes, $12000
  19. Cache Poisoning via uppercase letters in invalid path to InnoGames - 82 upvotes, $550
  20. File writing by Directory traversal at actionpack-page_caching and RCE by it to Ruby on Rails - 79 upvotes, $1000
  21. Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/ to Starbucks - 78 upvotes, $0
  22. SSRF and LFI in site-audit tool to Semrush - 77 upvotes, $0
  23. Path traversal lead to LFR via [CVE-2019-3394] to Mail.ru - 74 upvotes, $0
  24. Any one can view collaborater email address via path /reports/<id>/participants to HackerOne - 73 upvotes, $0
  25. LFI and SSRF via XXE in emblem editor to Rockstar Games - 72 upvotes, $1500
  26. Grafana LFI on https://grafana.mariadb.org to MariaDB - 70 upvotes, $0
  27. LFI to steal /etc/passwd - Bypass filter in the <meta property="og:image"> tag via redirect and much more to BugPoC - 69 upvotes, $100
  28. Lynxview JS interfaces Takeover via deeplink traversal to TikTok - 67 upvotes, $0
  29. Authenticated path traversal to Stored XSS and Denial-of-Service to phpBB - 66 upvotes, $0
  30. Unquoted Service Path in "Rockstar Game Library Service" to Rockstar Games - 60 upvotes, $0
  31. [Source Engine] Material path truncation leads to Remote Code Execution to Valve - 59 upvotes, $2500
  32. Path Traversal in dict-fs and no-check Escape Character in oauth2-jwt to Open-Xchange - 57 upvotes, $982
  33. Privilege Escalation by abusing non-existent path. (Windows) to PortSwigger Web Security - 57 upvotes, $0
  34. Path Traversal в iOS приложении to VK.com - 55 upvotes, $0
  35. Path traversal in Tempfile on windows OS due to unsanitized backslashes to Ruby - 53 upvotes, $500
  36. LFI with potential to RCE on ██████ using CVE-2019-3396 to U.S. Dept Of Defense - 53 upvotes, $0
  37. Uncontrolled Search Path Element allows DLL hijacking for priv esc to SYSTEM to GlassWire - 50 upvotes, $250
  38. Directory Traversal + HTTP Paramater Pollution leaking SQL/LDAP credentials to Soleo - 48 upvotes, $0
  39. Limited LFI to GSA Bounty - 47 upvotes, $300
  40. full path disclosure on www.rockstargames.com via apache filename brute forcing to Rockstar Games - 47 upvotes, $0
  41. LFI through the MySQL connection to Infogram - 47 upvotes, $0
  42. [Android] Directory traversal leading to disclosure of auth tokens to Slack - 46 upvotes, $3500
  43. Local File Inclusion vulnerability on an Army system allows downloading local files to U.S. Dept Of Defense - 45 upvotes, $0
  44. Path traversal through path stored in Uint8Array in Node.js 20 to Internet Bug Bounty - 42 upvotes, $3495
  45. Multiple SQL Injections and constrained LFI in esk-static.3igames.mail.ru to Mail.ru - 41 upvotes, $1500
  46. Permission model improperly protects against path traversal in Node.js 20 to Internet Bug Bounty - 39 upvotes, $2330
  47. Path Traversal on Default Installed Rails Application (Asset Pipeline) to Ruby on Rails - 38 upvotes, $1500
  48. Path traversal leading to limited CSRF on GET requests on two endpoints to HackerOne - 38 upvotes, $0
  49. Remote code execution via path traversal in Zip extraction in the Extract app to Nextcloud - 38 upvotes, $0
  50. Path Traversal issue at https://████/blaze/ to Sony - 38 upvotes, $0
  51. Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://████ to U.S. Dept Of Defense - 36 upvotes, $5000
  52. Path traversal allows tricking the Talk Android app into writing files into it's root directory to Nextcloud - 36 upvotes, $0
  53. Stored XSS in galleries - https://www.redtube.com/gallery/[id] path to Pornhub - 35 upvotes, $0
  54. Arbitrary File Reading on Uber SSL VPN to Uber - 34 upvotes, $6500
  55. [p2p.qiwi.com] nginx alias traversal to QIWI - 34 upvotes, $0
  56. internal path disclosure via register error to Tennessee Valley Authority - 34 upvotes, $0
  57. Path traversal by monkey-patching Buffer internals to Node.js - 34 upvotes, $0
  58. Reflected XSS at https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true via PATH to Glassdoor - 33 upvotes, $0
  59. Path traversal in ZIP extract routine on LINE Android to LY Corporation - 32 upvotes, $475
  60. Full Path and internal information disclosure+ SQLNet.log file disclose internal network information to Uber - 32 upvotes, $0
  61. LFI at http://www.████ to Sony - 32 upvotes, $0
  62. Path traversal in a Tomcat server to LY Corporation - 32 upvotes, $0
  63. [o2.mail.ru] nginx alias traversal to Mail.ru - 31 upvotes, $150
  64. [dev-nightly.ubnt.com] Local File Reading to Ubiquiti Inc. - 31 upvotes, $0
  65. SQL injection in URL path processing on www.ibm.com to IBM - 31 upvotes, $0
  66. Directory traversal at https://msg.algolia.com to Algolia - 30 upvotes, $0
  67. Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013) to Internet Bug Bounty - 29 upvotes, $1000
  68. LFI in beta.mail.ru to Mail.ru - 28 upvotes, $150
  69. LFI in pChart php library to Valve - 28 upvotes, $0
  70. [porcupiney.hairs]: [Python] Add Flask Path injection sinks to GitHub Security Lab - 28 upvotes, $0
  71. Path Traversal in App Proxy to Shopify - 27 upvotes, $500
  72. SQL Injection on /cs/Satellite path to LocalTapiola - 27 upvotes, $0
  73. [geekbrains.ru] Node modules path disclosure due to lack of error handling to Mail.ru - 26 upvotes, $0
  74. CVE-2022-21371: Oracle WebLogic Server Local File Inclusion to Mars - 26 upvotes, $0
  75. Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename to Unikrn - 25 upvotes, $50
  76. Directory traversal at https://nightly.ubnt.com to Ubiquiti Inc. - 24 upvotes, $0
  77. SQL Injection on https://soa-accp.glbx.tva.gov/ via "/api/" path - VI-21-015 to Tennessee Valley Authority - 24 upvotes, $0
  78. Internal machine learning API endpoint for CWE classification is vulnerable to path traversal to HackerOne - 24 upvotes, $0
  79. CSS Injection via Client Side Path Traversal + Open Redirect leads to personal data exfiltration on Acronis Cloud to Acronis - 23 upvotes, $250
  80. Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.50 to Internet Bug Bounty - 22 upvotes, $1000
  81. Potential IP revealing using UNC Path in Windows File Picker to Tor - 22 upvotes, $0
  82. [lk.contact-sys.com] LKlang Path Traversal to QIWI - 21 upvotes, $0
  83. Error in Booking an appointment reveals the full path of the website to Nextcloud - 21 upvotes, $0
  84. LFI on Accounting server and RCE on FliteThermostat admin server to 50m-ctf - 20 upvotes, $0
  85. Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███ to U.S. Dept Of Defense - 20 upvotes, $0
  86. Path traversal on https://███ allows arbitrary file read (CVE-2020-3452) to U.S. Dept Of Defense - 20 upvotes, $0
  87. Path traversal on bank.mail.ru ( CVE-2013-3827 ) to Mail.ru - 20 upvotes, $0
  88. [webvpn.city-srv.ru] Path traversal via CVE-2020-3452 to Mail.ru - 20 upvotes, $0
  89. path traversal vulnerability in Grafana 8.x allows " local file read " to MTN Group - 20 upvotes, $0
  90. Path traversal by monkey-patching Buffer internals to Internet Bug Bounty - 19 upvotes, $2430
  91. [id.rapida.ru] Full Path Disclosure to QIWI - 19 upvotes, $0
  92. Blind SQL Injection on █████ via URI Path to Mars - 19 upvotes, $0
  93. [mobs.mail.ru] nginx path traversal via misconfigured alias to Mail.ru - 18 upvotes, $0
  94. reflected xss on the path m.tiktok.com to TikTok - 18 upvotes, $0
  95. LFI via Jolokia at https://█.█.█.█:1293 to 8x8 - 18 upvotes, $0
  96. Ingress-nginx path allows retrieval of ingress-nginx serviceaccount token to Kubernetes - 17 upvotes, $2500
  97. Persistent XSS found on bin.pinion.gg due to outdated FlowPlayer SWF file with Remote File Inclusion vulnerability. to Unikrn - 17 upvotes, $30
  98. ███ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability to U.S. Dept Of Defense - 17 upvotes, $0
  99. [doc.rt.informaticacloud.com] Arbitrary File Reading via Double URL Encode to Informatica - 17 upvotes, $0
  100. Unix domain socket and a path containing a null character to Ruby - 16 upvotes, $500
  101. [Total.js] Path traversal vulnerability allows to read files outside public directory to Node.js third-party modules - 16 upvotes, $0
  102. Authenticated path traversal to RCE to Concrete CMS - 16 upvotes, $0
  103. Full Path Disclosure in Wordpress Rest API Response to Showmax - 15 upvotes, $50
  104. Node modules path disclosure due to lack of error handling to Mapbox - 15 upvotes, $0
  105. List any file in the folder by using path traversal to Node.js third-party modules - 15 upvotes, $0
  106. Ad Builder Display Ads Path Traversal to Semrush - 15 upvotes, $0
  107. Korea - LFI Server directory traversal at starbucks.co.kr to Starbucks - 15 upvotes, $0
  108. 2x Remote file inclusion within your VMware Instances to MTN Group - 15 upvotes, $0
  109. CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com to IBM - 15 upvotes, $0
  110. Multiple permission model bypasses due to improper path traversal sequence sanitization to Node.js - 15 upvotes, $0
  111. Non-authenticated path traversal leading to arbitrary file read to ExpressionEngine - 15 upvotes, $0
  112. Unintentional file creation caused at Tempfile with directory traversal to Ruby - 14 upvotes, $500
  113. Windows builds with insecure path defaults (CVE-2019-1552) to Internet Bug Bounty - 13 upvotes, $500
  114. Linux client is vulnerable to directory traversal when downloading files to Nextcloud - 13 upvotes, $250
  115. Path Traversal When Sharing with Cloud Mail.Ru App via a file with Crated Name to Mail.ru - 13 upvotes, $150
  116. Local File Inclusion path bypass to Concrete CMS - 13 upvotes, $0
  117. Full path Disclosure in Rockstargames.com██████████ to Rockstar Games - 13 upvotes, $0
  118. Full directory path listing to Paragon Initiative Enterprises - 13 upvotes, $0
  119. [Critical] Full local fylesystem access (LFI/LFD) as admin via Path Traversal in the misconfigured Java servlet on the https://███/ to U.S. Dept Of Defense - 13 upvotes, $0
  120. Exposed Log File Lead to Full Internal path disclosure at [https://nextcloud.com/wp-content/debug.log] to Nextcloud - 13 upvotes, $0
  121. XSS on ( █████████.gov ) Via URL path to U.S. Dept Of Defense - 13 upvotes, $0
  122. XSS @ store.steampowered.com via agecheck path name to Valve - 12 upvotes, $750
  123. GitHub Security Lab (GHSL) Vulnerability Report: Insufficient path validation in ReceiveExternalFilesActivity.java (GHSL-2022-060) to ownCloud - 12 upvotes, $50
  124. REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean to Yahoo! - 12 upvotes, $0
  125. Unrestricted File Download / Path Traversal to U.S. Dept Of Defense - 12 upvotes, $0
  126. Existence of Folder path by guessing the path through response to Files.com - 12 upvotes, $0
  127. [hekto] Path Traversal vulnerability allows to read content of arbitrary files to Node.js third-party modules - 12 upvotes, $0
  128. [rm.mail.ru] Request-Path XSS to Mail.ru - 12 upvotes, $0
  129. [vitrina.contact-sys.com] Full Path Disclosure to QIWI - 12 upvotes, $0
  130. Path Disclosure Vulnerability http://crm.******.com to Unikrn - 12 upvotes, $0
  131. Full Path Disclosure to Mail.ru - 12 upvotes, $0
  132. Exposing debug.log file leads to server full path disclosure to Nextcloud - 12 upvotes, $0
  133. [m-server] XSS reflected because path does not escapeHtml to Node.js third-party modules - 12 upvotes, $0
  134. Forbidden access to https://apps-staging.pingone.com but "/packages.json" visible and full path disclosure to Ping Identity - 11 upvotes, $100
  135. Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1 to Concrete CMS - 11 upvotes, $0
  136. Local file inclusion vulnerability on a DoD website to U.S. Dept Of Defense - 11 upvotes, $0
  137. [html-pages] Path Traversal in html-pages module allows to read any file from the server with curl to Node.js third-party modules - 11 upvotes, $0
  138. [buttle] Path traversal in mid-buttle module allows to read any file in the server. to Node.js third-party modules - 11 upvotes, $0
  139. [simplehttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 11 upvotes, $0
  140. Path traversal on ████████ to U.S. Dept Of Defense - 11 upvotes, $0
  141. Full Path disclosure on 500 error to Liberapay - 11 upvotes, $0
  142. Path Traversal - [ CVE-2020-3452 ] to U.S. Dept Of Defense - 11 upvotes, $0
  143. Full Path Disclosure / Info Disclosure in Creating New Group to Localize - 10 upvotes, $0
  144. Arbitrary File Reading to OLX - 10 upvotes, $0
  145. [Debug.log file Exposed to Public \Full Path Disclosure](https://hackerone.com/reports/202939) to Pornhub - 10 upvotes, $0
  146. Local File Inclusion In Registration Page to U.S. Dept Of Defense - 10 upvotes, $0
  147. [city-mobil.ru/taxiserv/] SQLi at /taxiserv/requests path at driver_company param to Mail.ru - 10 upvotes, $0
  148. [samokat.ru] PHP modules path disclosure due to lack of error handling to Mail.ru - 10 upvotes, $0
  149. Relative Path Vulnerability Results in Arbitrary Command Execution/Privilege Escalation to Slack - 9 upvotes, $750
  150. Explicit, dynamic render path: Dir. Trav + RCE to Ruby on Rails - 9 upvotes, $500
  151. Full path disclosure on track.uber.com to Uber - 9 upvotes, $100
  152. Multiple Path Disclosure to Ian Dunn - 9 upvotes, $0
  153. [localhost-now] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 9 upvotes, $0
  154. [general-file-server] Path Traversal vulnerability allows to read content on arbitrary file on the server to Node.js third-party modules - 9 upvotes, $0
  155. UniFi Video Server web interface Configuration Restore path traversal leading to local system compromise to Ubiquiti Inc. - 9 upvotes, $0
  156. Remote file inclusion using "/cdn-cgi/pe/bag2?r[]=" to Cloudflare Vulnerability Disclosure - 9 upvotes, $0
  157. Cisco ASA Denial of Service & Path Traversal (CVE-2018-0296) to ok.ru - 9 upvotes, $0
  158. Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch to Internet Bug Bounty - 9 upvotes, $0
  159. Open Redirect in the Path of vendhq.com to Vend VDP - 9 upvotes, $0
  160. [CVE-2019-11510 ] Path Traversal on ████████ leads to leaked passwords, RCE, etc to U.S. Dept Of Defense - 9 upvotes, $0
  161. UniFi Video Server web interface admin user Firmware Update path traversal leading to local system compromise to Ubiquiti Inc. - 9 upvotes, $0
  162. Path Traversal on meetcqpub1.gsa.gov allows attackers to see arbitrary file listings. to U.S. General Services Administration - 9 upvotes, $0
  163. Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows to Elastic - 9 upvotes, $0
  164. Directory Traversal to Yahoo! - 8 upvotes, $0
  165. [bot.brew.sh] Full Path Disclosure to Homebrew - 8 upvotes, $0
  166. XML Member Proccessing - Local File inclusion Vulnerability to ExpressionEngine - 8 upvotes, $0
  167. [markdown-pdf] Local file reading to Node.js third-party modules - 8 upvotes, $0
  168. h1-5411-CTF report: LFI / Deserialization / XXE vulnerability, to h1-5411-CTF - 8 upvotes, $0
  169. [knightjs] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 8 upvotes, $0
  170. [serve-here.js] List any file in the folder by using path traversal. to Node.js third-party modules - 8 upvotes, $0
  171. Path traversal using symlink to Node.js third-party modules - 8 upvotes, $0
  172. Directory listing is enabled that exposes non public data through multiple path to Nextcloud - 8 upvotes, $0
  173. [min-http-server] List any file in the folder by using path traversal. to Node.js third-party modules - 8 upvotes, $0
  174. internal path disclosure via error message to Mail.ru - 8 upvotes, $0
  175. CVE-2022-27780: percent-encoded path separator in URL host to Internet Bug Bounty - 8 upvotes, $0
  176. Multiple Path Transversal Vulnerabilites to Tor - 8 upvotes, $0
  177. Download attachments with traversal path into any sdcard directory (incomplete fix 106097) to Mail.ru - 7 upvotes, $200
  178. (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' to Shopify - 7 upvotes, $0
  179. [Airship CMS] Local File Inclusion - RST Parser to Paragon Initiative Enterprises - 7 upvotes, $0
  180. [otus.p.mail.ru] Full Path Disclosure to Mail.ru - 7 upvotes, $0
  181. Path Traversal on Resolve-Path to Node.js third-party modules - 7 upvotes, $0
  182. [angular-http-server] Path Traversal in angular-http-server.js allows to read arbitrary file from the remote server to Node.js third-party modules - 7 upvotes, $0
  183. [glance] Path Traversal in glance static file server allows to read content of arbitrary file to Node.js third-party modules - 7 upvotes, $0
  184. [stattic] Inproper path validation leads to Path Traversal and allows to read arbitrary files with any extension(s) to Node.js third-party modules - 7 upvotes, $0
  185. [crud-file-server] Path Traversal allows to read arbitrary file from the server to Node.js third-party modules - 7 upvotes, $0
  186. [http-file-server] List any files and sub folders in the folder by using path traversal. to Node.js third-party modules - 7 upvotes, $0
  187. [https://youdrive.today/] Nginx directory traversal to Mail.ru - 7 upvotes, $0
  188. Path Transversal inside saveContracts.js to Sifchain - 7 upvotes, $0
  189. lfi in filePathDownload parameter via ███████ to U.S. Dept Of Defense - 7 upvotes, $0
  190. CVE-2022-27780: percent-encoded path separator in URL host to curl - 7 upvotes, $0
  191. Path traversal leads to reading of local files on ███████ and ████ to U.S. Dept Of Defense - 7 upvotes, $0
  192. Potential directory traversal in OC\Files\Node\Folder::getFullPath to Nextcloud - 7 upvotes, $0
  193. CVE-2023-27534: SFTP path ~ resolving discrepancy to Internet Bug Bounty - 6 upvotes, $480
  194. Fix : (Security) Mitigate Path Traversal Bug to Hyperledger - 6 upvotes, $200
  195. Remote file Inclusion - RFI in upload to Slack - 6 upvotes, $0
  196. Path Disclosure Vulnerability to Ian Dunn - 6 upvotes, $0
  197. Wordpress: Directory Traversal / Denial of Serivce to Nextcloud - 6 upvotes, $0
  198. Remote file inclusion vulnerability on a DoD website to U.S. Dept Of Defense - 6 upvotes, $0
  199. [626] Path Traversal allows to read arbitrary file from remote server to Node.js third-party modules - 6 upvotes, $0
  200. [node-srv] Path Traversal allows to read arbitrary files from remote server to Node.js third-party modules - 6 upvotes, $0
  201. [mcstatic] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 6 upvotes, $0
  202. Import File Converter - local File inclusion to ExpressionEngine - 6 upvotes, $0
  203. [mcstatic] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
  204. [serve] Server Directory Traversal to Node.js third-party modules - 6 upvotes, $0
  205. [takeapeek] Path traversal allow to expose directory and files to Node.js third-party modules - 6 upvotes, $0
  206. [static-resource-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 6 upvotes, $0
  207. Read-only path traversal (CVE-2020-3452) at https://██████.mil to U.S. Dept Of Defense - 6 upvotes, $0
  208. Text app leaks file path of shared files to Nextcloud - 6 upvotes, $0
  209. Arbitrary File Deletion via Path Traversal in image-edit.php to ImpressCMS - 6 upvotes, $0
  210. Path paths and file disclosure vulnerabilities at influxdb.quality.gitlab.net to GitLab - 6 upvotes, $0
  211. Local file inclusion to Yahoo! - 5 upvotes, $0
  212. FULL PATH DISCLOSUR to Concrete CMS - 5 upvotes, $0
  213. Directory traversal attack in view resolver to Ruby on Rails - 5 upvotes, $0
  214. Full Path Disclosure to Mail.ru - 5 upvotes, $0
  215. [allods.my.com] Full Path Disclosure to Mail.ru - 5 upvotes, $0
  216. superstatic is vulnerable to path traversal on Windows to Node.js third-party modules - 5 upvotes, $0
  217. [bruteser] Path Traversal allows to read content of arbitrary file to Node.js third-party modules - 5 upvotes, $0
  218. http-live-simulator npm module is prone to path traversal attacks to Node.js third-party modules - 5 upvotes, $0
  219. [serve] Path Traversal to Vercel - 5 upvotes, $0
  220. Full Path Disclosure to Unikrn - 5 upvotes, $0
  221. [statichttpserver] List any file in the folder by using path traversal. to Node.js third-party modules - 5 upvotes, $0
  222. https://█████████ Vulnerable to CVE-2018-0296 Cisco ASA Path Traversal Authentication Bypass to U.S. Dept Of Defense - 5 upvotes, $0
  223. Remote File Inclusion, Malicious File Hosting, and Cross-site Scripting (XSS) in ████████ to U.S. Dept Of Defense - 5 upvotes, $0
  224. Path traversal on [███] to U.S. Dept Of Defense - 5 upvotes, $0
  225. Error in Deleting Deck cards attachment reveals the full path of the website to Nextcloud - 5 upvotes, $0
  226. Relative Path Traversal vulnerability in fabric-private-chaincode to Hyperledger - 5 upvotes, $0
  227. the complete server installation path is visible in cloud/user endpoint to Nextcloud - 5 upvotes, $0
  228. Filesystem experimental permissions policy does not handle path traversal cases. to Node.js - 5 upvotes, $0
  229. Tor Project - Full Path Disclosure to Tor - 5 upvotes, $0
  230. [Java]: CWE-073 - File path injection with the JFinal framework to GitHub Security Lab - 4 upvotes, $1800
  231. CVE-2021-22924: Bad connection reuse due to flawed path name checks to curl - 4 upvotes, $1200
  232. Image Upload Path Disclosure to Instacart - 4 upvotes, $100
  233. full path disclosure vulnerability at https://security.olx.com/* to OLX - 4 upvotes, $0
  234. newrelic.com rails directory traversal vuln to New Relic - 4 upvotes, $0
  235. [serve-here] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 4 upvotes, $0
  236. [featurebook] Specification Server Directory Traversal via Crafted Browser Request to Node.js third-party modules - 4 upvotes, $0
  237. [public] Path Traversal allows to read content of arbitrary files to Node.js third-party modules - 4 upvotes, $0
  238. [angular-http-server] Server Directory Traversal to Node.js third-party modules - 4 upvotes, $0
  239. Bypass to defective fix of Path Traversal to Node.js third-party modules - 4 upvotes, $0
  240. [ponse] Path traversal in ponse module allows to read any file on server to Node.js third-party modules - 4 upvotes, $0
  241. Path traversal in command line client to MariaDB - 4 upvotes, $0
  242. [sapper] Path Traversal to Node.js third-party modules - 4 upvotes, $0
  243. Full path disclosure vulnerability via Upload .htaccess file to Nextcloud - 4 upvotes, $0
  244. [hnzserver] Path Traversal allowing to read any files on the server to Node.js third-party modules - 4 upvotes, $0
  245. [██████████.mil] Cisco VPN Service Path Traversal to U.S. Dept Of Defense - 4 upvotes, $0
  246. Read-only path traversal (CVE-2020-3452) at https://█████ to U.S. Dept Of Defense - 4 upvotes, $0
  247. Read-only path traversal (CVE-2020-3452) at https://████████ to U.S. Dept Of Defense - 4 upvotes, $0
  248. [JAVA]: Partial Path Traversal to GitHub Security Lab - 3 upvotes, $1800
  249. Path Disclosure (Info Disclosure) in http://www.localize.io to Localize - 3 upvotes, $0
  250. Full Path Disclosure to Respondly - 3 upvotes, $0
  251. Full Path Disclosure (FPD) in www.localize.im to Localize - 3 upvotes, $0
  252. Full Path Disclosure (FPD) in www.localize.im to Localize - 3 upvotes, $0
  253. Directory Traversal at http://staging.jsdelivr.net/ to jsDelivr - 3 upvotes, $0
  254. Full Path Disclosure on gmchat.gm.com to General Motors - 3 upvotes, $0
  255. Full path + some back-end code disclosure to ExpressionEngine - 3 upvotes, $0
  256. Full Path Disclosure at 27.prd.vine.co to X (Formerly Twitter) - 3 upvotes, $0
  257. Image lib - unescaped file path to ExpressionEngine - 3 upvotes, $0
  258. [lactate] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
  259. [augustine] Static Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 3 upvotes, $0
  260. foreman is vulnerable to ReDoS in path to Node.js third-party modules - 3 upvotes, $0
  261. [file-static-server] Path Traversal allows to read content of arbitrary file on the server to Node.js third-party modules - 3 upvotes, $0
  262. Cross-Domain JavaScript Source File Inclusion to RubyGems - 3 upvotes, $0
  263. [harp] Path traversal using symlink to Node.js third-party modules - 3 upvotes, $0
  264. Path traversal in https://www.npmjs.com/package/http_server via symlink to Node.js third-party modules - 3 upvotes, $0
  265. LFI from bypassing image parser and faking HEAD response with redirection to BugPoC - 3 upvotes, $0
  266. https://██████/ Vulnerable to CVE-2013-3827 (Directory-traversal vulnerability) to U.S. Dept Of Defense - 3 upvotes, $0
  267. Path Traversal CVE-2021-26086 CVE-2021-26085 to MariaDB - 3 upvotes, $0
  268. error parse uri path in curl to curl - 3 upvotes, $0
  269. fix(security):Path Traversal Bug to Hyperledger - 3 upvotes, $0
  270. CVE-2023-27534: SFTP path ~ resolving discrepancy to curl - 3 upvotes, $0
  271. Phabricator Phame Blog Skins Local File Inclusion to Phabricator - 2 upvotes, $500
  272. Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json to Keybase - 2 upvotes, $100
  273. Full Path Disclosure to ownCloud - 2 upvotes, $25
  274. Full Path Disclosure on [smarthistory.khanacademy.org] to Khan Academy - 2 upvotes, $0
  275. Full path disclosure to Localize - 2 upvotes, $0
  276. Full Path Disclosure (FPD) in www.localize.io to Localize - 2 upvotes, $0
  277. Full Path Disclosure / Info Disclosure in Importing XML Section! to Localize - 2 upvotes, $0
  278. Full Path Disclosure (2) to Localize - 2 upvotes, $0
  279. Full Path Disclosure to Localize - 2 upvotes, $0
  280. CONCRETE5 - path disclosure. to Concrete CMS - 2 upvotes, $0
  281. PHP PDOException and Full Path Disclosure to Localize - 2 upvotes, $0
  282. full path disclosure from false language to Localize - 2 upvotes, $0
  283. Suffix of url-path is vulnerable to XSS-attack to Khan Academy - 2 upvotes, $0
  284. Multiple sub domain are vulnerable because of leaking full path to Udemy - 2 upvotes, $0
  285. apps.owncloud.com: Path Disclosure to ownCloud - 2 upvotes, $0
  286. Full path disclosure when CSRF validation failed to Paragon Initiative Enterprises - 2 upvotes, $0
  287. Full Path Disclosure by removing CSRF token to Paragon Initiative Enterprises - 2 upvotes, $0
  288. [Not just a server configuration issue] Full Path Disclosure to Ian Dunn - 2 upvotes, $0
  289. Full path disclosure vulnerability at http://corporate.olx.ph to OLX - 2 upvotes, $0
  290. Full Path Disclousure on https://airship.paragonie.com to Paragon Initiative Enterprises - 2 upvotes, $0
  291. full path disclosure at hosted.weblate.org/admin/accounts/profile/ to Weblate - 2 upvotes, $0
  292. [m-server] Path Traversal allows to display content of arbitrary file(s) from the server to Node.js third-party modules - 2 upvotes, $0
  293. [http-live-simulator] Path traversal vulnerability to Node.js third-party modules - 2 upvotes, $0
  294. [public] Path traversal using symlink to Node.js third-party modules - 2 upvotes, $0
  295. Directory traversal allows execution of arbitrary binaries usign doveadm exec to Open-Xchange - 2 upvotes, $0
  296. [static-server-gx] Path Traversal allowing to read any files on the server to Node.js third-party modules - 2 upvotes, $0
  297. [http_server] Path Traversal allowing to read any files on the server to Node.js third-party modules - 2 upvotes, $0
  298. [node-downloader-helper] Path traversal via Content-Disposition header to Node.js third-party modules - 2 upvotes, $0
  299. RXSS Via URI Path - https://██████████/ to U.S. Dept Of Defense - 2 upvotes, $0
  300. [www.█████] Path-based reflected Cross Site Scripting to U.S. Dept Of Defense - 2 upvotes, $0
  301. Full path disclosure at ads.twitter.com to X (Formerly Twitter) - 1 upvotes, $140
  302. Full Path Disclosure to ownCloud - 1 upvotes, $25
  303. PHP PDOException and Full Path Disclosure to Localize - 1 upvotes, $0
  304. Path disclosure in platform0.twitter.com to X (Formerly Twitter) - 1 upvotes, $0
  305. Full Path Disclosure to Paragon Initiative Enterprises - 1 upvotes, $0
  306. don't expose path of Python to Gratipay - 1 upvotes, $0
  307. Default.aspx exposing full path and other info on wip.origin-community.xero.com to Xero - 1 upvotes, $0
  308. Full path disclosure to Phabricator - 1 upvotes, $0
  309. Full path disclosure vulnerability on paragonie.com to Paragon Initiative Enterprises - 1 upvotes, $0
  310. file full path discloser. to Paragon Initiative Enterprises - 1 upvotes, $0
  311. Prototype Pollution Vulnerability in cached-path-relative Package to Node.js third-party modules - 1 upvotes, $0
  312. [statics-server] Path Traversal due to lack of provided path sanitization to Node.js third-party modules - 1 upvotes, $0
  313. [servey] Path Traversal allows to retrieve content of any file with extension from remote server to Node.js third-party modules - 1 upvotes, $0
  314. [md-fileserver] Path Traversal to Node.js third-party modules - 1 upvotes, $0
  315. [deliver-or-else] Path Traversal to Node.js third-party modules - 1 upvotes, $0
  316. [https://███] Local File Inclusion via graph.php to U.S. Dept Of Defense - 1 upvotes, $0
  317. https://█████ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability to U.S. Dept Of Defense - 1 upvotes, $0
  318. [sirloin] Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 1 upvotes, $0
  319. [hangersteak] Web Server Directory Traversal via Crafted GET Request to Node.js third-party modules - 1 upvotes, $0
  320. [zenn-cli] Path traversal on Windows allows the attacker to read arbitrary .md files to Node.js third-party modules - 1 upvotes, $0
  321. "blog.skillfactory.ru" Vulnerable to Directory Traversal to Mail.ru - 1 upvotes, $0
  322. Full Path Disclosure of Server through 500 Server Error to Kartpay - 1 upvotes, $0
  323. Leaking sensitive information through JSON file path. to Nextcloud - 1 upvotes, $0
  324. [Python]: Add shutil module sinks for path injection query to GitHub Security Lab - 1 upvotes, $0
  325. Directory Traversal at █████ to U.S. Dept Of Defense - 1 upvotes, $0
  326. Server Path Disclosure to Aspen - 0 upvotes, $0
  327. Full Path Disclosure in airship.paragonie.com '/cabins/' to Paragon Initiative Enterprises - 0 upvotes, $0
  328. Full Path Disclosure in password lock to Paragon Initiative Enterprises - 0 upvotes, $0
  329. Full Path Disclosure In EasyDB to Paragon Initiative Enterprises - 0 upvotes, $0
  330. [██████████] — Directory traversal via /aerosol-bin/███████/display_directory_████_t.cgi to U.S. Dept Of Defense - 0 upvotes, $0
  331. [object-path-set] Prototype pollution to Node.js third-party modules - 0 upvotes, $0
  332. Access to admininstrative resources/account via path traversal to U.S. Dept Of Defense - 0 upvotes, $0