The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images action. (CVSS:0.0) (Last Update:2019-10-07)

www/getfile.php in WPO WebPageTest 19.04 on Windows allows Directory Traversal (for reading arbitrary files) because of an unanchored regular expression, as demonstrated by the a.jpg\.. substring. (CVSS:0.0) (Last Update:2019-10-05)

joyplus-cms 1.6.0 allows manager/admin_pic.php?rootpath= absolute path traversal. (CVSS:5.0) (Last Update:2019-10-08)

KSLabs KSWEB 3.93 allows ../ directory traversal, as demonstrated by the hostFile parameter. (CVSS:0.0) (Last Update:2019-10-03)

Butor Portal before 1.0.27 is affected by a Path Traversal vulnerability leading to a pre-authentication arbitrary file download. Effectively, a remote anonymous user can download any file on servers running Butor Portal. WhiteLabelingServlet is responsible for this vulnerability. It does not properly sanitize user input on the theme t parameter before reusing it in a path. This path is then used without validation to fetch a file and return its raw content to the user via the /wl?t=../../...&h= substring followed by a filename. (CVSS:5.0) (Last Update:2019-10-08)

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to perform a directory traversal attack on an affected device. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to bypass Cisco FMC Software security restrictions and gain access to the underlying filesystem of the affected device. (CVSS:0.0) (Last Update:2019-10-02)

Online Store System v1.0 delete_file.php doesn't check to see if a user has administrative rights nor does it check for path traversal. (CVSS:6.4) (Last Update:2019-10-07)

emlog through 6.0.0beta allows remote authenticated users to delete arbitrary files via admin/template.php?action=del&tpl=../ directory traversal. (CVSS:0.0) (Last Update:2019-10-01)