Common Weakness Enumeration

CWE-59

Allowed

Improper Link Resolution Before File Access ('Link Following')

Abstraction: Base · Status: Draft

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

1982 vulnerabilities reference this CWE, most recent first.

GHSA-XV7P-MCP9-W898

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23
VLAI
Details

UploaderService in SnagIT 2019.1.2 allows elevation of privilege by placing an invalid presentation file in %PROGRAMDATA%\TechSmith\TechSmith Recorder\QueuedPresentations and then creating a symbolic link in %PROGRAMDATA%\Techsmith\TechSmith Recorder\InvalidPresentations that points to an arbitrary folder with an arbitrary file name. TechSmith Relay Classic Recorder prior to 5.2.1 on Windows is vulnerable. The vulnerability was introduced in SnagIT Windows 12.4.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13382"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-26T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "UploaderService in SnagIT 2019.1.2 allows elevation of privilege by placing an invalid presentation file in %PROGRAMDATA%\\TechSmith\\TechSmith Recorder\\QueuedPresentations and then creating a symbolic link in %PROGRAMDATA%\\Techsmith\\TechSmith Recorder\\InvalidPresentations that points to an arbitrary folder with an arbitrary file name. TechSmith Relay Classic Recorder prior to 5.2.1 on Windows is vulnerable. The vulnerability was introduced in SnagIT Windows 12.4.1.",
  "id": "GHSA-xv7p-mcp9-w898",
  "modified": "2024-04-04T01:23:16Z",
  "published": "2022-05-24T16:51:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13382"
    },
    {
      "type": "WEB",
      "url": "https://posts.specterops.io/cve-2019-13382-local-privilege-escalation-in-snagit-abe5f31c349"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010"
    },
    {
      "type": "WEB",
      "url": "https://support.techsmith.com/hc/en-us/articles/115006435067-Snagit-Windows-Version-History"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XV87-WVQW-65G9

Vulnerability from github – Published: 2022-05-02 00:09 – Updated: 2022-05-02 00:09
VLAI
Details

A certain Debian patch to the run scripts for sabre (aka xsabre) 0.2.4b allows local users to delete or overwrite arbitrary files via a symlink attack on unspecified .tmp files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-10-03T17:41:00Z",
    "severity": "HIGH"
  },
  "details": "A certain Debian patch to the run scripts for sabre (aka xsabre) 0.2.4b allows local users to delete or overwrite arbitrary files via a symlink attack on unspecified .tmp files.",
  "id": "GHSA-xv87-wvqw-65g9",
  "modified": "2022-05-02T00:09:43Z",
  "published": "2022-05-02T00:09:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4406"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45609"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45715"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/433996"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2008/10/01/1"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/48895"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31512"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XVC5-JG6R-264J

Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30
VLAI
Details

Azure Network Watcher VM Agent Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T17:15:23Z",
    "severity": "HIGH"
  },
  "details": "Azure Network Watcher VM Agent Elevation of Privilege Vulnerability",
  "id": "GHSA-xvc5-jg6r-264j",
  "modified": "2024-09-10T18:30:45Z",
  "published": "2024-09-10T18:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38188"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVG3-V23F-88P6

Vulnerability from github – Published: 2025-10-13 09:30 – Updated: 2025-10-13 09:30
VLAI
Details

A link following vulnerability exists in the UnifyScanner component of Armoury Crate. This vulnerability may be triggered by creating a specially crafted junction, potentially leading to local privilege escalation. For more information, please refer to section 'Security Update for Armoury Crate App' in the ASUS Security Advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-13T09:15:41Z",
    "severity": "HIGH"
  },
  "details": "A link following vulnerability exists in the UnifyScanner component of Armoury Crate. This vulnerability may be triggered by creating a specially crafted junction, potentially leading to local privilege escalation.\nFor more information, please refer to section \u0027Security Update for Armoury Crate App\u0027\u00a0in the ASUS Security Advisory.",
  "id": "GHSA-xvg3-v23f-88p6",
  "modified": "2025-10-13T09:30:25Z",
  "published": "2025-10-13T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9968"
    },
    {
      "type": "WEB",
      "url": "https://www.asus.com/security-advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XVW3-FVP9-CWJW

Vulnerability from github – Published: 2024-12-25 15:30 – Updated: 2024-12-25 15:30
VLAI
Details

Dell SupportAssist for Home PCs versions 4.6.1 and prior and Dell SupportAssist for Business PCs versions 4.5.0 and prior, contain a symbolic link (symlink) attack vulnerability in the software remediation component. A low-privileged authenticated user could potentially exploit this vulnerability, gaining privileges escalation, leading to arbitrary deletion of files and folders from the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-61"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-25T15:15:07Z",
    "severity": "HIGH"
  },
  "details": "Dell SupportAssist for Home PCs versions 4.6.1 and prior and Dell SupportAssist for Business PCs versions 4.5.0 and prior, contain a symbolic link (symlink) attack vulnerability in the software remediation component. A low-privileged authenticated user could potentially exploit this vulnerability, gaining privileges escalation, leading to arbitrary deletion of files and folders from the system.",
  "id": "GHSA-xvw3-fvp9-cwjw",
  "modified": "2024-12-25T15:30:42Z",
  "published": "2024-12-25T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52535"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000261086/dsa-2024-470-security-update-for-dell-supportassist-for-home-pcs-and-dell-supportassist-for-business-pcs-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XW24-F63W-VQ32

Vulnerability from github – Published: 2022-05-14 03:28 – Updated: 2022-05-14 03:28
VLAI
Details

An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "ATS" component. It allows attackers to obtain sensitive information by leveraging symlink mishandling.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-03T06:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"ATS\" component. It allows attackers to obtain sensitive information by leveraging symlink mishandling.",
  "id": "GHSA-xw24-f63w-vq32",
  "modified": "2022-05-14T03:28:57Z",
  "published": "2022-05-14T03:28:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4112"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208692"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103582"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040608"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XWG2-QC6C-7C3Q

Vulnerability from github – Published: 2022-05-17 05:40 – Updated: 2024-01-19 18:16
VLAI
Summary
Fabric vulnerable to symlink attack on tmp files
Details

Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fabric"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-2185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-19T18:16:49Z",
    "nvd_published_at": "2011-07-27T02:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a `/tmp/fab.*.tar` file or (2) certain other files in the top level of `/tmp/`.",
  "id": "GHSA-xwg2-qc6c-7c3q",
  "modified": "2024-01-19T18:16:49Z",
  "published": "2022-05-17T05:40:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2185"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fabric/fabric/commit/3445b5653cd297039443110548fb3cab2e8e25af"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fabric/fabric/commit/d7470d2db919ffcee80c245cf87e6d8d4ba6909c"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=710462"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fabric/fabric"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629003"
    },
    {
      "type": "WEB",
      "url": "http://code.fabfile.org/projects/fabric/files/Fabric-1.1.0.tar.gz"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062534.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/06/03/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2011/06/06/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Fabric vulnerable to symlink attack on tmp files"
}

GHSA-XWQX-RPJH-4W5R

Vulnerability from github – Published: 2022-05-17 05:51 – Updated: 2022-05-17 05:51
VLAI
Details

delqueueask in rccp 0.9 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/cccp_tmp.txt temporary file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-4980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-11-06T15:55:00Z",
    "severity": "MODERATE"
  },
  "details": "delqueueask in rccp 0.9 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/cccp_tmp.txt temporary file.",
  "id": "GHSA-xwqx-rpjh-4w5r",
  "modified": "2022-05-17T05:51:55Z",
  "published": "2022-05-17T05:51:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4980"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/496364"
    },
    {
      "type": "WEB",
      "url": "http://dev.gentoo.org/~rbu/security/debiantemp/rccp"
    },
    {
      "type": "WEB",
      "url": "http://uvw.ru/report.lenny.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30955"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XWXC-WC23-RVJ5

Vulnerability from github – Published: 2022-04-29 01:28 – Updated: 2022-04-29 01:28
VLAI
Details

Netscape Navigator 7.0.2 and Mozilla allows remote attackers to access cookie information in a different domain via an HTTP request for a domain with an extra . (dot) at the end.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2003-1492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-12-31T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Netscape Navigator 7.0.2 and Mozilla allows remote attackers to access cookie information in a different domain via an HTTP request for a domain with an extra . (dot) at the end.",
  "id": "GHSA-xwxc-wc23-rvj5",
  "modified": "2022-04-29T01:28:10Z",
  "published": "2022-04-29T01:28:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-1492"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11924"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/319919"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/7456"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XX2R-F4XG-6RG7

Vulnerability from github – Published: 2023-03-29 15:30 – Updated: 2024-03-05 21:30
VLAI
Details

Malwarebytes AdwCleaner 8.4.0 runs as Administrator and performs an insecure file delete operation on C:\AdwCleaner\Logs\AdwCleaner_Debug.log in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-29T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Malwarebytes AdwCleaner 8.4.0 runs as Administrator and performs an insecure file delete operation on C:\\AdwCleaner\\Logs\\AdwCleaner_Debug.log in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link.",
  "id": "GHSA-xx2r-f4xg-6rg7",
  "modified": "2024-03-05T21:30:24Z",
  "published": "2023-03-29T15:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28892"
    },
    {
      "type": "WEB",
      "url": "https://forums.malwarebytes.com/topic/307429-release-adwcleaner-841"
    },
    {
      "type": "WEB",
      "url": "https://malwarebytes.com"
    },
    {
      "type": "WEB",
      "url": "https://www.malwarebytes.com/secure/cves/cve-2023-28892"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

CAPEC-17: Using Malicious Files

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.