CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-HFRC-JQ43-4M6C
Vulnerability from github – Published: 2023-07-13 09:30 – Updated: 2025-11-04 00:30JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.
{
"affected": [],
"aliases": [
"CVE-2023-29450"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T09:15:09Z",
"severity": "HIGH"
},
"details": "JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user \"zabbix\") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data.",
"id": "GHSA-hfrc-jq43-4m6c",
"modified": "2025-11-04T00:30:38Z",
"published": "2023-07-13T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29450"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00027.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00000.html"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-22588"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HFV2-PF68-M33X
Vulnerability from github – Published: 2025-12-09 17:12 – Updated: 2025-12-09 21:37Impact
Due to unsafe handling and deletion of temporary files during the dictionary upload process, an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application’s error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server’s filesystem. This vulnerability does not allow reading or writing file contents.
In certain configurations, incomplete clean-up of temporary upload files may additionally expose the NTLM hash of the Windows account running the Umbraco application. The direct impact of this vulnerability is therefore limited to confidentiality, which is reflected in its CVSS base score of 4.9
While the CVSS Base Score captures only the immediate effect, the practical risk varies significantly based on hosting environment and identity configuration. Umbraco Cloud sites run under low-privilege, isolated Azure App Service worker identities, which mitigates the impact of any credential exposure. In contrast, self-hosted deployments could run Umbraco using privileged local or domain accounts. If such an account’s NTLM hash is disclosed, an attacker may be able to: - Perform NTLM relay attacks - Crack the hash offline to recover the underlying password - Authenticate as the compromised identity - Access internal systems trusted by that identity - Move laterally within the network - Potentially escalate to full domain compromise in weakly segmented environments
These outcomes are not part of the CVSS base score, which only rates the immediate confidentiality impact, but represent realistic downstream consequences for installations using elevated or widely-trusted service accounts. Self-hosted environments running Umbraco under privileged identities are therefore at significantly higher risk.
Vulnerability found and reported by Tomasz Holeksa at Pentest Limited
Patches
The issue has been patched in 13.12.1.
Workarounds
The issue can only be exploited by authorized backoffice accounts with access to the "Translations" section.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 13.12.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Umbraco.Cms"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "13.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66625"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-377",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-09T17:12:18Z",
"nvd_published_at": "2025-12-09T20:15:55Z",
"severity": "MODERATE"
},
"details": "### Impact\nDue to unsafe handling and deletion of temporary files during the dictionary upload process, an attacker with access to the backoffice can trigger predictable requests to temporary file paths. The application\u2019s error responses (HTTP 500 when a file exists, 404 when it does not) allow the attacker to enumerate the existence of arbitrary files on the server\u2019s filesystem. This vulnerability does not allow reading or writing file contents.\n\nIn certain configurations, incomplete clean-up of temporary upload files may additionally expose the NTLM hash of the Windows account running the Umbraco application. The direct impact of this vulnerability is therefore limited to confidentiality, which is reflected in its CVSS base score of 4.9\n\nWhile the CVSS Base Score captures only the immediate effect, the practical risk varies significantly based on hosting environment and identity configuration. Umbraco Cloud sites run under low-privilege, isolated Azure App Service worker identities, which mitigates the impact of any credential exposure. In contrast, self-hosted deployments could run Umbraco using privileged local or domain accounts. If such an account\u2019s NTLM hash is disclosed, an attacker may be able to:\n- Perform NTLM relay attacks\n- Crack the hash offline to recover the underlying password\n- Authenticate as the compromised identity\n- Access internal systems trusted by that identity\n- Move laterally within the network\n- Potentially escalate to full domain compromise in weakly segmented environments\n\nThese outcomes are not part of the CVSS base score, which only rates the immediate confidentiality impact, but represent realistic downstream consequences for installations using elevated or widely-trusted service accounts. Self-hosted environments running Umbraco under privileged identities are therefore at significantly higher risk.\n\nVulnerability found and reported by Tomasz Holeksa at Pentest Limited\n\n### Patches\nThe issue has been patched in 13.12.1.\n\n### Workarounds\nThe issue can only be exploited by authorized backoffice accounts with access to the \"Translations\" section.",
"id": "GHSA-hfv2-pf68-m33x",
"modified": "2025-12-09T21:37:25Z",
"published": "2025-12-09T17:12:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-hfv2-pf68-m33x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66625"
},
{
"type": "WEB",
"url": "https://github.com/umbraco/Umbraco-CMS/commit/7505efd433189037f46547932d4a8b603fd4a615"
},
{
"type": "PACKAGE",
"url": "https://github.com/umbraco/Umbraco-CMS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Umbraco Vulnerable to Improper File Access and Credential Exposure in Dictionary Import Functionality"
}
GHSA-HFWX-C7Q6-G54C
Vulnerability from github – Published: 2021-03-12 23:04 – Updated: 2021-03-12 22:32Impact
The vulnerability allows for reading and outputting files served by other services on the internal network in which the export server is hosted. If the export server is exposed to the internet, this potentially allows a malicious user to gain read access to internal web-resources.
The impact is limited to internal services that serve content via. HTTP(S), and requires the attacker to know internal hostnames/IP addresses.
The previous versions have been marked as deprecated on NPM.
Patches
Version 2.1.0 released alongside this security advisory addresses the issue. Please note that this release is not backwards compatible out of the box. See the changelog for details.
Additionally, it's also recommended to upgrade to the latest version of Highcharts to get the added input sanitation implemented in version 9.0 and later.
Workarounds
There are no known workarounds to the issue - an upgrade to version 2.1.0 is required.
For more information
If you have any questions or comments about this advisory: * Open an issue in the export server issue tracker * Email us at security@highsoft.com
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.30"
},
"package": {
"ecosystem": "npm",
"name": "highcharts-export-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-12T22:32:16Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe vulnerability allows for reading and outputting files served by other services on the internal network in which the export server is hosted. If the export server is exposed to the internet, this potentially allows a malicious user to gain read access to internal web-resources.\n\nThe impact is limited to internal services that serve content via. HTTP(S), and requires the attacker to know internal hostnames/IP addresses.\n\nThe previous versions have been marked as deprecated on NPM.\n\n### Patches\n\nVersion 2.1.0 released alongside this security advisory addresses the issue. **Please note that this release is not backwards compatible out of the box. See the [changelog](https://github.com/highcharts/node-export-server/blob/master/CHANGELOG.md) for details.**\n\nAdditionally, it\u0027s also recommended to upgrade to the latest version of Highcharts to get the added input sanitation implemented in version 9.0 and later. \n\n### Workarounds\n\nThere are no known workarounds to the issue - an upgrade to version 2.1.0 is required.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the export server issue tracker](https://github.com/highcharts/node-export-server/issues)\n* Email us at [security@highsoft.com](mailto:security@highsoft.com)",
"id": "GHSA-hfwx-c7q6-g54c",
"modified": "2021-03-12T22:32:16Z",
"published": "2021-03-12T23:04:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/highcharts/node-export-server/security/advisories/GHSA-hfwx-c7q6-g54c"
},
{
"type": "WEB",
"url": "https://github.com/highcharts/node-export-server/commit/53fa992a96785a5a08390e55ec30ea2ad217dfe6"
},
{
"type": "WEB",
"url": "https://github.com/highcharts/node-export-server/blob/master/CHANGELOG.md#210"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/highcharts-export-server"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Vulnerability allowing for reading internal HTTP resources"
}
GHSA-HG22-XHFQ-MFRQ
Vulnerability from github – Published: 2022-07-18 00:00 – Updated: 2022-07-19 00:00The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
{
"affected": [],
"aliases": [
"CVE-2022-2222"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-17T11:15:00Z",
"severity": "MODERATE"
},
"details": "The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.",
"id": "GHSA-hg22-xhfq-mfrq",
"modified": "2022-07-19T00:00:27Z",
"published": "2022-07-18T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2222"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HG36-F8HX-FRW9
Vulnerability from github – Published: 2023-09-06 12:30 – Updated: 2024-04-04 07:31File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Exploitation of this vulnerability could allow an authenticated user with administrative privileges to create a backup file in the application's webroot directory, changing the default backup directory to the wwwroot folder, and download it with some configuration files such as encryption.config/ and database.config stored in the wwwroot directory, exposing the database credentials in plain text.
{
"affected": [],
"aliases": [
"CVE-2023-4588"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-06T12:15:07Z",
"severity": "MODERATE"
},
"details": "File accessibility vulnerability in Delinea Secret Server, in its v10.9.000002 and v11.4.000002 versions. Exploitation of this vulnerability could allow an authenticated user with administrative privileges to create a backup file in the application\u0027s webroot directory, changing the default backup directory to the wwwroot folder, and download it with some configuration files such as encryption.config/ and database.config stored in the wwwroot directory, exposing the database credentials in plain text.",
"id": "GHSA-hg36-f8hx-frw9",
"modified": "2024-04-04T07:31:50Z",
"published": "2023-09-06T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4588"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-delinea-secret-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HHGH-4VPC-8C58
Vulnerability from github – Published: 2025-03-06 21:31 – Updated: 2025-03-06 21:31A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /upload/. The manipulation leads to exposure of information through directory listing. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-2038"
],
"database_specific": {
"cwe_ids": [
"CWE-548",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T20:15:38Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /upload/. The manipulation leads to exposure of information through directory listing. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-hhgh-4vpc-8c58",
"modified": "2025-03-06T21:31:27Z",
"published": "2025-03-06T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2038"
},
{
"type": "WEB",
"url": "https://code-projects.org"
},
{
"type": "WEB",
"url": "https://github.com/intercpt/XSS1/blob/main/Directorylisting.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.298781"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.298781"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.512558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HJ6H-FPV2-5H4V
Vulnerability from github – Published: 2025-10-09 18:30 – Updated: 2025-11-04 21:31In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.
This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
{
"affected": [],
"aliases": [
"CVE-2025-11371"
],
"database_specific": {
"cwe_ids": [
"CWE-220",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-09T17:15:58Z",
"severity": "MODERATE"
},
"details": "In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.\u00a0\n\nThis issue impacts Gladinet CentreStack and Triofox: All versions prior to and including\u00a016.7.10368.56560",
"id": "GHSA-hj6h-fpv2-5h4v",
"modified": "2025-11-04T21:31:32Z",
"published": "2025-10-09T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11371"
},
{
"type": "WEB",
"url": "https://www.centrestack.com/p/gce_latest_release.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11371"
},
{
"type": "WEB",
"url": "https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HJHP-PRGP-PR6H
Vulnerability from github – Published: 2023-05-17 18:30 – Updated: 2023-05-17 18:30A vulnerability was found in Weaver OA 9.5 and classified as problematic. This issue affects some unknown processing of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini. The manipulation leads to files or directories accessible. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-229271. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-2766"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-17T17:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Weaver OA 9.5 and classified as problematic. This issue affects some unknown processing of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini. The manipulation leads to files or directories accessible. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-229271. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-hjhp-prgp-pr6h",
"modified": "2023-05-17T18:30:30Z",
"published": "2023-05-17T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2766"
},
{
"type": "WEB",
"url": "https://github.com/8079048q/cve/blob/main/weaveroa.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.229271"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.229271"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HMHP-M9P3-PX6R
Vulnerability from github – Published: 2023-12-11 21:30 – Updated: 2023-12-13 21:30The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files.
{
"affected": [],
"aliases": [
"CVE-2023-5907"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-11T20:15:07Z",
"severity": "MODERATE"
},
"details": "The File Manager WordPress plugin before 6.3 does not restrict the file managers root directory, allowing an administrator to set a root outside of the WordPress root directory, giving access to system files and directories even in a multisite setup, where site administrators should not be allowed to modify the sites files.",
"id": "GHSA-hmhp-m9p3-px6r",
"modified": "2023-12-13T21:30:28Z",
"published": "2023-12-11T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5907"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/f250226f-4a05-4d75-93c4-5444a4ce919e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HQ75-6WCM-HC6G
Vulnerability from github – Published: 2022-07-18 00:00 – Updated: 2022-07-28 00:00The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI.
{
"affected": [],
"aliases": [
"CVE-2021-40149"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-17T22:15:00Z",
"severity": "MODERATE"
},
"details": "The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI.",
"id": "GHSA-hq75-6wcm-hc6g",
"modified": "2022-07-28T00:00:44Z",
"published": "2022-07-18T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40149"
},
{
"type": "WEB",
"url": "https://github.com/MrTuxracer/advisories/blob/master/CVEs/CVE-2021-40149.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167407/Reolink-E1-Zoom-Camera-3.0.0.716-Private-Key-Disclosure.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jun/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.