Common Weakness Enumeration

CWE-64

Allowed

Windows Shortcut Following (.LNK)

Abstraction: Variant · Status: Incomplete

The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

22 vulnerabilities reference this CWE, most recent first.

GHSA-R8HM-W5F7-WJ39

Vulnerability from github – Published: 2021-11-02 15:42 – Updated: 2024-01-03 22:33
VLAI
Summary
Cross-site scripting vulnerability in TinyMCE plugins
Details

Impact

A cross-site scripting (XSS) vulnerability was discovered in the URL processing logic of the image and link plugins. The vulnerability allowed arbitrary JavaScript execution when updating an image or link using a specially crafted URL. This issue only impacted users while editing and the dangerous URLs were stripped in any content extracted from the editor. This impacts all users who are using TinyMCE 5.9.2 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.10.0 by improved sanitization logic when updating URLs in the relevant plugins.

Workarounds

To work around this vulnerability, either: - Upgrade to TinyMCE 5.10.0 or higher - Disable the image and link plugins

Acknowledgements

Tiny Technologies would like to thank Yakir6 for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes510/#securityfixes

For more information

If you have any questions or comments about this advisory: * Email us at infosec@tiny.cloud * Open an issue in the TinyMCE repo

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tinymce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "tinymce/tinymce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "TinyMCE"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-tinymce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-64",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-01T20:02:43Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nA cross-site scripting (XSS) vulnerability was discovered in the URL processing logic of the `image` and `link` plugins. The vulnerability allowed arbitrary JavaScript execution when updating an image or link using a specially crafted URL. This issue only impacted users while editing and the dangerous URLs were stripped in any content extracted from the editor. This impacts all users who are using TinyMCE 5.9.2 or lower.\n\n### Patches\nThis vulnerability has been patched in TinyMCE 5.10.0 by improved sanitization logic when updating URLs in the relevant plugins.\n\n### Workarounds\nTo work around this vulnerability, either:\n- Upgrade to TinyMCE 5.10.0 or higher\n- Disable the `image` and `link` plugins\n\n### Acknowledgements\nTiny Technologies would like to thank Yakir6 for discovering this vulnerability.\n\n### References\nhttps://www.tiny.cloud/docs/release-notes/release-notes510/#securityfixes\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [infosec@tiny.cloud](mailto:infosec@tiny.cloud)\n* Open an issue in the [TinyMCE repo](https://github.com/tinymce/tinymce/issues)",
  "id": "GHSA-r8hm-w5f7-wj39",
  "modified": "2024-01-03T22:33:13Z",
  "published": "2021-11-02T15:42:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jazzband/django-tinymce/issues/366"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jazzband/django-tinymce/releases/tag/3.4.0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinymce/tinymce"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/django-tinymce/3.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site scripting vulnerability in TinyMCE plugins"
}

GHSA-V338-M87C-MJX4

Vulnerability from github – Published: 2025-07-10 21:31 – Updated: 2025-07-10 21:31
VLAI
Details

Trend Micro Password Manager (Consumer) version 5.8.0.1327 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow an attacker the opportunity to abuse symbolic links and other methods to delete any file/folder and achieve privilege escalation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-59",
      "CWE-64"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T19:15:25Z",
    "severity": "HIGH"
  },
  "details": "Trend Micro Password Manager (Consumer) version 5.8.0.1327 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow an attacker the opportunity to abuse symbolic links and other methods to delete any file/folder and achieve privilege escalation.",
  "id": "GHSA-v338-m87c-mjx4",
  "modified": "2025-07-10T21:31:52Z",
  "published": "2025-07-10T21:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52837"
    },
    {
      "type": "WEB",
      "url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-12946"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-586"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-48.1
Architecture and Design

Strategy: Separation of Privilege

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

No CAPEC attack patterns related to this CWE.