CWE-24
AllowedPath Traversal: '../filedir'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
187 vulnerabilities reference this CWE, most recent first.
GHSA-MFF7-V8PM-9JPR
Vulnerability from github – Published: 2023-06-05 09:30 – Updated: 2023-06-05 09:30A vulnerability classified as critical has been found in KylinSoft youker-assistant on KylinOS. Affected is the function restore_all_sound_file. The manipulation leads to path traversal: '../filedir'. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.2-0kylin6k70-23 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230688. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-3098"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-05T07:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical has been found in KylinSoft youker-assistant on KylinOS. Affected is the function restore_all_sound_file. The manipulation leads to path traversal: \u0027../filedir\u0027. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.2-0kylin6k70-23 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230688. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-mff7-v8pm-9jpr",
"modified": "2023-06-05T09:30:17Z",
"published": "2023-06-05T09:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3098"
},
{
"type": "WEB",
"url": "https://github.com/i900008/vulndb/blob/main/kylinos_vul3.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.230688"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.230688"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MWPV-367W-4CPC
Vulnerability from github – Published: 2025-03-21 06:30 – Updated: 2025-03-21 06:30A directory traversal issue was discovered in OpenSlides before 4.2.5. Files can be uploaded to OpenSlides meetings and organized in folders. The interface allows users to download a ZIP archive that contains all files in a folder and its subfolders. If an attacker specifies the title of a file or folder as a relative or absolute path (e.g., ../../../etc/passwd), the ZIP archive generated for download converts that title into a path. Depending on the extraction tool used by the user, this might overwrite files locally outside of the chosen directory.
{
"affected": [],
"aliases": [
"CVE-2025-30343"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-21T06:15:26Z",
"severity": "LOW"
},
"details": "A directory traversal issue was discovered in OpenSlides before 4.2.5. Files can be uploaded to OpenSlides meetings and organized in folders. The interface allows users to download a ZIP archive that contains all files in a folder and its subfolders. If an attacker specifies the title of a file or folder as a relative or absolute path (e.g., ../../../etc/passwd), the ZIP archive generated for download converts that title into a path. Depending on the extraction tool used by the user, this might overwrite files locally outside of the chosen directory.",
"id": "GHSA-mwpv-367w-4cpc",
"modified": "2025-03-21T06:30:27Z",
"published": "2025-03-21T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30343"
},
{
"type": "WEB",
"url": "https://www.x41-dsec.de/lab/advisories/x41-2025-001-OpenSlides"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PCJ3-P7WG-9C68
Vulnerability from github – Published: 2024-03-20 15:32 – Updated: 2024-08-05 18:31An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Directory traversal can occur via the system logs download mechanism.
{
"affected": [],
"aliases": [
"CVE-2024-22079"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-20T05:15:45Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Directory traversal can occur via the system logs download mechanism.",
"id": "GHSA-pcj3-p7wg-9c68",
"modified": "2024-08-05T18:31:42Z",
"published": "2024-03-20T15:32:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22079"
},
{
"type": "WEB",
"url": "https://www.elspec-ltd.com/support/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q393-GPQ2-PRJV
Vulnerability from github – Published: 2024-01-11 18:31 – Updated: 2024-01-11 18:31A vulnerability, which was classified as critical, was found in DeShang DSShop up to 2.1.5. This affects an unknown part of the file application/home/controller/MemberAuth.php. The manipulation of the argument member_info leads to path traversal: '../filedir'. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250437 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-0417"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-11T18:15:44Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, was found in DeShang DSShop up to 2.1.5. This affects an unknown part of the file application/home/controller/MemberAuth.php. The manipulation of the argument member_info leads to path traversal: \u0027../filedir\u0027. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250437 was assigned to this vulnerability.",
"id": "GHSA-q393-gpq2-prjv",
"modified": "2024-01-11T18:31:29Z",
"published": "2024-01-11T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0417"
},
{
"type": "WEB",
"url": "https://note.zhaoj.in/share/ZpRTCLblKd7N"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.250437"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.250437"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q72C-XCW3-M4XJ
Vulnerability from github – Published: 2023-12-22 06:30 – Updated: 2023-12-22 06:30A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument page leads to path traversal: '../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-248749 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-7058"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-22T05:15:13Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument page leads to path traversal: \u0027../filedir\u0027. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-248749 was assigned to this vulnerability.",
"id": "GHSA-q72c-xcw3-m4xj",
"modified": "2023-12-22T06:30:26Z",
"published": "2023-12-22T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7058"
},
{
"type": "WEB",
"url": "https://github.com/laoquanshi/Simple-Student-Attendance-System"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.248749"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.248749"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QCF5-VQ3M-33Q3
Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2025-09-04 21:31In multiple locations, there is a possible Android/data access due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-26427"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T18:15:41Z",
"severity": "MODERATE"
},
"details": "In multiple locations, there is a possible Android/data access due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
"id": "GHSA-qcf5-vq3m-33q3",
"modified": "2025-09-04T21:31:37Z",
"published": "2025-09-04T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26427"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/4af5db76f25348849252e0b8a08f4a517ef842b7"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/packages/providers/DownloadProvider/+/5acd646e0cf63e2c9c0862da7e03531ef0074394"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2025-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QJ4X-9G63-25G6
Vulnerability from github – Published: 2026-07-07 13:01 – Updated: 2026-07-07 13:01Impact
With Jetty 12+ a user can craft a URL to access any resource the Jetty instance is allowed to access.
For example http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd allows downloading the content of the /etc/passwd file, provided Jetty is allowed to read it, and if your XWiki webapp is located exactly 5 levels below / (like /var/lib/jetty/webapps/xwiki, which is the case in the docker image, for example).
Another example which does not go out of the XWiki webapp, but it's still a vulnerability (since users should not be allowed to access Hibernate or XWiki configuration files) is http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg.
Patches
This vulnerability has been patched in XWiki 17.10.5 and 18.2.0.
Workarounds
A possible workaround is to use a different application server, like Jetty < 12 (in the case of XWiki < 17) or Tomcat, which don't seem to be impacted.
Resources
- https://jira.xwiki.org/browse/XWIKI-24075
- https://jira.xwiki.org/browse/XCOMMONS-3594
For more information
If there are any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Send an email to the Security Mailing List
Attribution
Lê Ngọc Khoa reported the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "17.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "18.0.0-rc-1"
},
{
"fixed": "18.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34151"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-07T13:01:21Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nWith Jetty 12+ a user can craft a URL to access any resource the Jetty instance is allowed to access.\n\nFor example `http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd` allows downloading the content of the /etc/passwd file, provided Jetty is allowed to read it, and if your XWiki webapp is located exactly 5 levels below `/` (like `/var/lib/jetty/webapps/xwiki`, which is the case in the docker image, for example).\n\nAnother example which does not go out of the XWiki webapp, but it\u0027s still a vulnerability (since users should not be allowed to access Hibernate or XWiki configuration files) is `http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg`.\n\n### Patches\n\nThis vulnerability has been patched in XWiki 17.10.5 and 18.2.0.\n\n### Workarounds\n\nA possible workaround is to use a different application server, like Jetty \u003c 12 (in the case of XWiki \u003c 17) or Tomcat, which don\u0027t seem to be impacted.\n\n### Resources\n\n* https://jira.xwiki.org/browse/XWIKI-24075\n* https://jira.xwiki.org/browse/XCOMMONS-3594\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Send an email to the [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\n L\u00ea Ng\u1ecdc Khoa reported the vulnerability.",
"id": "GHSA-qj4x-9g63-25g6",
"modified": "2026-07-07T13:01:22Z",
"published": "2026-07-07T13:01:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qj4x-9g63-25g6"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-commons/pull/1675"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XCOMMONS-3594"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-24075"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+"
}
GHSA-RCVG-RGF7-PPPV
Vulnerability from github – Published: 2024-08-05 19:48 – Updated: 2024-08-06 14:38Summary
Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability.
In certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE.
Details
The getTextAssetContent function does not check for path traversals (source), this could allow an attacker to read arbitrary files over the RPC WebSocket.
The WebSocket server does not check the origin of the request (source) leading to CSWSH. This may be intentional to allow certain configurations to work correctly.
Nuxt Devtools authentication tokens are placed within the home directory of the current user (source).
In the scenario that: + The user has a Nuxt3 Project running + Devtools is enabled and running + The project is placed within the users home directory. + The user visits a malicious webpage + User has authenticated with devtools at least once
The malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the authenticated writeStaticAssets function to create a new Component, Nitro Handler or app.vue file which will run automatically as the file is changed.
PoC
POC will exploit the Devtools server on localhost:3000 (you may need to manually restart the server as the restart hook does not always work).
POC: https://devtools-exploit.pages.dev
- Create a new project with nuxt.new.
- Place the project inside your home directory.
- Run
pnpm run dev. - Open the POC page.
The POC will: + Identify devtools version. + Leak your devtools token. + Create a new server handler with an insecure eval.
Impact
- All new Nuxt projects by default (devtools is enabled) are vulnerable to arbitrary file read.
- Certain Nuxt configurations are vulnerable to Remote Code Execution
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@nuxt/devtools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23657"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-05T19:48:56Z",
"nvd_published_at": "2024-08-05T21:15:37Z",
"severity": "HIGH"
},
"details": "### Summary\nNuxt Devtools is missing authentication on the `getTextAssetContent` RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker is able to interact with a locally running devtools instance and exfiltrate data abusing this vulnerability. \n\nIn certain configurations an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve RCE. \n\n### Details\nThe `getTextAssetContent` function does not check for path traversals [(source)](https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L88C48-L88C48), this could allow an attacker to read arbitrary files over the RPC WebSocket. \n\nThe WebSocket server does not check the origin of the request [(source)](https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/index.ts#L109) leading to [CSWSH](https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking). This may be intentional to allow certain configurations to work correctly.\n\nNuxt Devtools authentication tokens are placed within the home directory of the current user [(source)](https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/dev-auth.ts#L14).\n\nIn the scenario that:\n + The user has a Nuxt3 Project running\n + Devtools is enabled and running\n + The project is placed within the users home directory.\n + The user visits a malicious webpage\n + User has authenticated with devtools at least once\n\nThe malicious webpage can connect to the Devtools WebSocket, perform a directory traversal brute force to find the authentication token, then use the *authenticated* [`writeStaticAssets` function](https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L96C11-L96C28) to create a new Component, Nitro Handler or `app.vue` file which will run automatically as the file is changed.\n\n### PoC\nPOC will exploit the Devtools server on localhost:3000 (you may need to manually restart the server as the restart hook does not always work).\n\nPOC: https://devtools-exploit.pages.dev\n\n1. Create a new project with nuxt.new.\n2. Place the project inside your home directory.\n3. Run `pnpm run dev`.\n4. Open the POC page.\n\nThe POC will:\n+ Identify devtools version.\n+ Leak your devtools token.\n+ Create a new server handler with an insecure eval.\n\n### Impact\n+ All new Nuxt projects by default (devtools is enabled) are vulnerable to arbitrary file read.\n+ Certain Nuxt configurations are vulnerable to Remote Code Execution\n",
"id": "GHSA-rcvg-rgf7-pppv",
"modified": "2024-08-06T14:38:36Z",
"published": "2024-08-05T19:48:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-rcvg-rgf7-pppv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23657"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/dev-auth.ts#L14"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L88C48-L88C48"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/assets.ts#L96C11-L96C28"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/devtools/blob/c4f2b68281203fc3f61ffc97d9c6623fbfde46bb/packages/devtools/src/server-rpc/index.ts#L109"
},
{
"type": "PACKAGE",
"url": "https://github.com/nuxt/nuxt"
},
{
"type": "WEB",
"url": "https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nuxt Devtools has a Path Traversal: \u0027../filedir\u0027"
}
GHSA-RMRX-HHMG-HQQ9
Vulnerability from github – Published: 2024-10-25 12:31 – Updated: 2024-10-25 12:31A vulnerability classified as problematic was found in ESAFENET CDG 5. Affected by this vulnerability is the function actionViewDecyptFile of the file /com/esafenet/servlet/client/DecryptApplicationService.java. The manipulation of the argument decryptFileId with the input ../../../Windows/System32/drivers/etc/hosts leads to path traversal: '../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The affected function has a typo and is missing an R. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-10379"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-25T12:15:02Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in ESAFENET CDG 5. Affected by this vulnerability is the function actionViewDecyptFile of the file /com/esafenet/servlet/client/DecryptApplicationService.java. The manipulation of the argument decryptFileId with the input ../../../Windows/System32/drivers/etc/hosts leads to path traversal: \u0027../filedir\u0027. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The affected function has a typo and is missing an R. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-rmrx-hhmg-hqq9",
"modified": "2024-10-25T12:31:34Z",
"published": "2024-10-25T12:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10379"
},
{
"type": "WEB",
"url": "https://flowus.cn/share/0b03c61a-76a5-4f45-9ee7-a88e0f21d539?code=G8A6P3"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.281809"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.281809"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.426087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RPXW-V4QW-9CWH
Vulnerability from github – Published: 2023-03-14 15:30 – Updated: 2023-03-17 06:30A vulnerability classified as critical was found in XiaoBingBy TeaCMS 2.0. Affected by this vulnerability is an unknown functionality of the file /admin/upload. The manipulation leads to path traversal: '../filedir'. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222985 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-1398"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-14T15:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as critical was found in XiaoBingBy TeaCMS 2.0. Affected by this vulnerability is an unknown functionality of the file /admin/upload. The manipulation leads to path traversal: \u0027../filedir\u0027. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-222985 was assigned to this vulnerability.",
"id": "GHSA-rpxw-v4qw-9cwh",
"modified": "2023-03-17T06:30:35Z",
"published": "2023-03-14T15:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1398"
},
{
"type": "WEB",
"url": "https://gitee.com/xiaobingby/TeaCMS/issues/I6IIYV"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.222985"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.222985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.