CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1982 vulnerabilities reference this CWE, most recent first.
GHSA-XV7P-MCP9-W898
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23UploaderService in SnagIT 2019.1.2 allows elevation of privilege by placing an invalid presentation file in %PROGRAMDATA%\TechSmith\TechSmith Recorder\QueuedPresentations and then creating a symbolic link in %PROGRAMDATA%\Techsmith\TechSmith Recorder\InvalidPresentations that points to an arbitrary folder with an arbitrary file name. TechSmith Relay Classic Recorder prior to 5.2.1 on Windows is vulnerable. The vulnerability was introduced in SnagIT Windows 12.4.1.
{
"affected": [],
"aliases": [
"CVE-2019-13382"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-26T13:15:00Z",
"severity": "HIGH"
},
"details": "UploaderService in SnagIT 2019.1.2 allows elevation of privilege by placing an invalid presentation file in %PROGRAMDATA%\\TechSmith\\TechSmith Recorder\\QueuedPresentations and then creating a symbolic link in %PROGRAMDATA%\\Techsmith\\TechSmith Recorder\\InvalidPresentations that points to an arbitrary folder with an arbitrary file name. TechSmith Relay Classic Recorder prior to 5.2.1 on Windows is vulnerable. The vulnerability was introduced in SnagIT Windows 12.4.1.",
"id": "GHSA-xv7p-mcp9-w898",
"modified": "2024-04-04T01:23:16Z",
"published": "2022-05-24T16:51:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13382"
},
{
"type": "WEB",
"url": "https://posts.specterops.io/cve-2019-13382-local-privilege-escalation-in-snagit-abe5f31c349"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010"
},
{
"type": "WEB",
"url": "https://support.techsmith.com/hc/en-us/articles/115006435067-Snagit-Windows-Version-History"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XV87-WVQW-65G9
Vulnerability from github – Published: 2022-05-02 00:09 – Updated: 2022-05-02 00:09A certain Debian patch to the run scripts for sabre (aka xsabre) 0.2.4b allows local users to delete or overwrite arbitrary files via a symlink attack on unspecified .tmp files.
{
"affected": [],
"aliases": [
"CVE-2008-4406"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-10-03T17:41:00Z",
"severity": "HIGH"
},
"details": "A certain Debian patch to the run scripts for sabre (aka xsabre) 0.2.4b allows local users to delete or overwrite arbitrary files via a symlink attack on unspecified .tmp files.",
"id": "GHSA-xv87-wvqw-65g9",
"modified": "2022-05-02T00:09:43Z",
"published": "2022-05-02T00:09:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4406"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45609"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45715"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/433996"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2008/10/01/1"
},
{
"type": "WEB",
"url": "http://osvdb.org/48895"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31512"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XVC5-JG6R-264J
Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30Azure Network Watcher VM Agent Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-38188"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T17:15:23Z",
"severity": "HIGH"
},
"details": "Azure Network Watcher VM Agent Elevation of Privilege Vulnerability",
"id": "GHSA-xvc5-jg6r-264j",
"modified": "2024-09-10T18:30:45Z",
"published": "2024-09-10T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38188"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XVG3-V23F-88P6
Vulnerability from github – Published: 2025-10-13 09:30 – Updated: 2025-10-13 09:30A link following vulnerability exists in the UnifyScanner component of Armoury Crate. This vulnerability may be triggered by creating a specially crafted junction, potentially leading to local privilege escalation. For more information, please refer to section 'Security Update for Armoury Crate App' in the ASUS Security Advisory.
{
"affected": [],
"aliases": [
"CVE-2025-9968"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-13T09:15:41Z",
"severity": "HIGH"
},
"details": "A link following vulnerability exists in the UnifyScanner component of Armoury Crate. This vulnerability may be triggered by creating a specially crafted junction, potentially leading to local privilege escalation.\nFor more information, please refer to section \u0027Security Update for Armoury Crate App\u0027\u00a0in the ASUS Security Advisory.",
"id": "GHSA-xvg3-v23f-88p6",
"modified": "2025-10-13T09:30:25Z",
"published": "2025-10-13T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9968"
},
{
"type": "WEB",
"url": "https://www.asus.com/security-advisory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XVW3-FVP9-CWJW
Vulnerability from github – Published: 2024-12-25 15:30 – Updated: 2024-12-25 15:30Dell SupportAssist for Home PCs versions 4.6.1 and prior and Dell SupportAssist for Business PCs versions 4.5.0 and prior, contain a symbolic link (symlink) attack vulnerability in the software remediation component. A low-privileged authenticated user could potentially exploit this vulnerability, gaining privileges escalation, leading to arbitrary deletion of files and folders from the system.
{
"affected": [],
"aliases": [
"CVE-2024-52535"
],
"database_specific": {
"cwe_ids": [
"CWE-59",
"CWE-61"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-25T15:15:07Z",
"severity": "HIGH"
},
"details": "Dell SupportAssist for Home PCs versions 4.6.1 and prior and Dell SupportAssist for Business PCs versions 4.5.0 and prior, contain a symbolic link (symlink) attack vulnerability in the software remediation component. A low-privileged authenticated user could potentially exploit this vulnerability, gaining privileges escalation, leading to arbitrary deletion of files and folders from the system.",
"id": "GHSA-xvw3-fvp9-cwjw",
"modified": "2024-12-25T15:30:42Z",
"published": "2024-12-25T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52535"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000261086/dsa-2024-470-security-update-for-dell-supportassist-for-home-pcs-and-dell-supportassist-for-business-pcs-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XW24-F63W-VQ32
Vulnerability from github – Published: 2022-05-14 03:28 – Updated: 2022-05-14 03:28An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "ATS" component. It allows attackers to obtain sensitive information by leveraging symlink mishandling.
{
"affected": [],
"aliases": [
"CVE-2018-4112"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-03T06:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the \"ATS\" component. It allows attackers to obtain sensitive information by leveraging symlink mishandling.",
"id": "GHSA-xw24-f63w-vq32",
"modified": "2022-05-14T03:28:57Z",
"published": "2022-05-14T03:28:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4112"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208692"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103582"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040608"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XWG2-QC6C-7C3Q
Vulnerability from github – Published: 2022-05-17 05:40 – Updated: 2024-01-19 18:16Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fabric"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-2185"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-19T18:16:49Z",
"nvd_published_at": "2011-07-27T02:55:00Z",
"severity": "MODERATE"
},
"details": "Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a `/tmp/fab.*.tar` file or (2) certain other files in the top level of `/tmp/`.",
"id": "GHSA-xwg2-qc6c-7c3q",
"modified": "2024-01-19T18:16:49Z",
"published": "2022-05-17T05:40:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2185"
},
{
"type": "WEB",
"url": "https://github.com/fabric/fabric/commit/3445b5653cd297039443110548fb3cab2e8e25af"
},
{
"type": "WEB",
"url": "https://github.com/fabric/fabric/commit/d7470d2db919ffcee80c245cf87e6d8d4ba6909c"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=710462"
},
{
"type": "PACKAGE",
"url": "https://github.com/fabric/fabric"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629003"
},
{
"type": "WEB",
"url": "http://code.fabfile.org/projects/fabric/files/Fabric-1.1.0.tar.gz"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062534.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/06/03/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/06/06/12"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Fabric vulnerable to symlink attack on tmp files"
}
GHSA-XWQX-RPJH-4W5R
Vulnerability from github – Published: 2022-05-17 05:51 – Updated: 2022-05-17 05:51delqueueask in rccp 0.9 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/cccp_tmp.txt temporary file.
{
"affected": [],
"aliases": [
"CVE-2008-4980"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-06T15:55:00Z",
"severity": "MODERATE"
},
"details": "delqueueask in rccp 0.9 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/cccp_tmp.txt temporary file.",
"id": "GHSA-xwqx-rpjh-4w5r",
"modified": "2022-05-17T05:51:55Z",
"published": "2022-05-17T05:51:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4980"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496364"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/rccp"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30955"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XWXC-WC23-RVJ5
Vulnerability from github – Published: 2022-04-29 01:28 – Updated: 2022-04-29 01:28Netscape Navigator 7.0.2 and Mozilla allows remote attackers to access cookie information in a different domain via an HTTP request for a domain with an extra . (dot) at the end.
{
"affected": [],
"aliases": [
"CVE-2003-1492"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2003-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Netscape Navigator 7.0.2 and Mozilla allows remote attackers to access cookie information in a different domain via an HTTP request for a domain with an extra . (dot) at the end.",
"id": "GHSA-xwxc-wc23-rvj5",
"modified": "2022-04-29T01:28:10Z",
"published": "2022-04-29T01:28:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-1492"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/11924"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/319919"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/7456"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XX2R-F4XG-6RG7
Vulnerability from github – Published: 2023-03-29 15:30 – Updated: 2024-03-05 21:30Malwarebytes AdwCleaner 8.4.0 runs as Administrator and performs an insecure file delete operation on C:\AdwCleaner\Logs\AdwCleaner_Debug.log in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link.
{
"affected": [],
"aliases": [
"CVE-2023-28892"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T15:15:00Z",
"severity": "HIGH"
},
"details": "Malwarebytes AdwCleaner 8.4.0 runs as Administrator and performs an insecure file delete operation on C:\\AdwCleaner\\Logs\\AdwCleaner_Debug.log in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link.",
"id": "GHSA-xx2r-f4xg-6rg7",
"modified": "2024-03-05T21:30:24Z",
"published": "2023-03-29T15:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28892"
},
{
"type": "WEB",
"url": "https://forums.malwarebytes.com/topic/307429-release-adwcleaner-841"
},
{
"type": "WEB",
"url": "https://malwarebytes.com"
},
{
"type": "WEB",
"url": "https://www.malwarebytes.com/secure/cves/cve-2023-28892"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.