Common Weakness Enumeration

CWE-706

Allowed-with-Review

Use of Incorrectly-Resolved Name or Reference

Abstraction: Class · Status: Incomplete

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

149 vulnerabilities reference this CWE, most recent first.

GHSA-2V93-G9J3-9Q9H

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-04-30 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

IB/mlx5: Fix initializing CQ fragments buffer

The function init_cq_frag_buf() can be called to initialize the current CQ fragments buffer cq->buf, or the temporary cq->resize_buf that is filled during CQ resize operation.

However, the offending commit started to use function get_cqe() for getting the CQEs, the issue with this change is that get_cqe() always returns CQEs from cq->buf, which leads us to initialize the wrong buffer, and in case of enlarging the CQ we try to access elements beyond the size of the current cq->buf and eventually hit a kernel panic.

[exception RIP: init_cq_frag_buf+103] [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib] [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core] [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt] [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt] [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt] [ffff9f799ddcbec8] kthread at ffffffffa66c5da1 [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd

Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that takes the correct source buffer as a parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:14Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix initializing CQ fragments buffer\n\nThe function init_cq_frag_buf() can be called to initialize the current CQ\nfragments buffer cq-\u003ebuf, or the temporary cq-\u003eresize_buf that is filled\nduring CQ resize operation.\n\nHowever, the offending commit started to use function get_cqe() for\ngetting the CQEs, the issue with this change is that get_cqe() always\nreturns CQEs from cq-\u003ebuf, which leads us to initialize the wrong buffer,\nand in case of enlarging the CQ we try to access elements beyond the size\nof the current cq-\u003ebuf and eventually hit a kernel panic.\n\n [exception RIP: init_cq_frag_buf+103]\n  [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib]\n  [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core]\n  [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt]\n  [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt]\n  [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt]\n  [ffff9f799ddcbec8] kthread at ffffffffa66c5da1\n  [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd\n\nFix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that\ntakes the correct source buffer as a parameter.",
  "id": "GHSA-2v93-g9j3-9q9h",
  "modified": "2025-04-30T15:30:43Z",
  "published": "2024-05-21T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47261"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ec2dcd680c71d0d36fa25638b327a468babd5c9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ba0aa2feebda680ecfc3c552e867cf4d1b05a3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e670c54eda238cb8a1ea93538a79ae89285c1c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91f7fdc4cc10542ca1045c06aad23365f0d067e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3ecd9c09fcc10cf6b2bc67e2990c397c40a8c26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WMF-P7F8-W42H

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2023-08-24 13:07
VLAI
Summary
EnvoyProxy Envoy Missing HTTP URL path normalization
Details

Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., something/../admin, to bypass access control, e.g., a block on /admin. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-9901"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-14T20:27:42Z",
    "nvd_published_at": "2019-04-25T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Envoy 1.9.0 and before does not normalize HTTP URL paths. A remote attacker may craft a relative path, e.g., `something/../admin`, to bypass access control, e.g., a block on `/admin`. A backend server could then interpret the non-normalized path and provide an attacker access beyond the scope provided for by the access control policy.",
  "id": "GHSA-2wmf-p7f8-w42h",
  "modified": "2023-08-24T13:07:21Z",
  "published": "2022-05-24T16:44:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcx5-93pw-jw2w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9901"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/issues/6435"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/commit/e668e669677e52a00d99652b5a260d1cedafdfa8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/envoy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/blob/main/security/postmortems/cve-2019-9900.md"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/envoy-announce/VoHfnDqZiAM"
    },
    {
      "type": "WEB",
      "url": "https://www.envoyproxy.io/docs/envoy/v1.9.1/intro/version_history"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "EnvoyProxy Envoy Missing HTTP URL path normalization"
}

GHSA-3453-7FW7-W5J4

Vulnerability from github – Published: 2022-03-05 00:00 – Updated: 2022-03-17 00:03
VLAI
Details

Improper Resolution of Path Equivalence in GitHub repository microweber-dev/whmcs_plugin prior to 0.0.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-04T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper Resolution of Path Equivalence in GitHub repository microweber-dev/whmcs_plugin prior to 0.0.4.",
  "id": "GHSA-3453-7fw7-w5j4",
  "modified": "2022-03-17T00:03:19Z",
  "published": "2022-03-05T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0855"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microweber-dev/whmcs_plugin/commit/2e7a11d332db79cc52ccda00455a15f4dc6147ff"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/511879b0-cdaa-4c03-af92-deb54d46284a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-353F-5XF4-QW67

Vulnerability from github – Published: 2023-06-06 02:01 – Updated: 2024-08-09 19:14
VLAI
Summary
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
Details

The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.

Steps to Fix. Update Vite: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n2. Secure the server configuration: In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories.

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or the server.host config option) are affected and only files in the immediate Vite project root folder could be exposed.\n\n### Patches\nFixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5 and in the latest minors of the previous two majors, vite@3.2.7 and vite@2.9.16.

### Details Vite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \n\n### PoC\n1. Create a new latest project of Vite using any package manager. (here I'm using react and vue templates and pnpm for testing)\n2. Serve the application on dev mode using pnpm run dev.\n3. Directly access the file via url using double forward-slash (//) (e.g: //.env, //.env.local)\n4. The server option fs.deny was successfully bypassed.

Proof Images: proof-1\nproof-2

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.2"
            },
            {
              "fixed": "3.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-50",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T02:01:39Z",
    "nvd_published_at": "2023-06-01T17:15:10Z",
    "severity": "HIGH"
  },
  "details": "The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (`//`). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files.\n\n### Steps to Fix. **Update Vite**: Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\\n2. **Secure the server configuration**: In your `vite.config.js` file, review and update the server configuration options to restrict access to unauthorized requests or directories.\n\n### Impact\nOnly users explicitly exposing the Vite dev server to the network (using `--host` or the [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected and only files in the immediate Vite project root folder could be exposed.\\n\\n### Patches\\nFixed in vite@**4.3.9**, vite@**4.2.3**, vite@**4.1.5**, vite@**4.0.5** and in the latest minors of the previous two majors, vite@**3.2.7** and vite@**2.9.16**.\n\n ### Details \nVite serves the application with under the root-path of the project while running on the dev mode. By default, Vite uses the server option fs.deny to protect sensitive files. But using a simple double forward-slash, we can bypass this restriction. \\n\\n### PoC\\n1. Create a new latest project of Vite using any package manager. (here I\u0027m using react and vue templates and pnpm for testing)\\n2. Serve the application on dev mode using `pnpm run dev`.\\n3. Directly access the file via url using double forward-slash (`//`) (e.g: `//.env`, `//.env.local`)\\n4. The server option `fs.deny` was successfully bypassed.\n\nProof Images: ![proof-1](https://user-images.githubusercontent.com/30733517/241105344-6ecbc7f6-57b7-45c7-856a-6421a577dda1.png)\\n![proof-2](https://user-images.githubusercontent.com/30733517/241105349-ab9561e7-8aff-4f29-97f9-b784e673c122.png)",
  "id": "GHSA-353f-5xf4-qw67",
  "modified": "2024-08-09T19:14:57Z",
  "published": "2023-06-06T02:01:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/security/advisories/GHSA-353f-5xf4-qw67"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34092"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/pull/13348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite/commit/813ddd6155c3d54801e264ba832d8347f6f66b32"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vitejs/vite"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/package/npm/vite/3.2.0-beta.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)"
}

GHSA-4F5G-544M-849J

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee's data, modify it, and then obtain administrator privilege and execute arbitrary command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-09T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee\u0027s data, modify it, and then obtain administrator privilege and execute arbitrary command.",
  "id": "GHSA-4f5g-544m-849j",
  "modified": "2022-05-24T19:10:27Z",
  "published": "2022-05-24T19:10:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37214"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-4991-658b1-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4JCH-X64F-4WHQ

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated user with admin authorization to create DNS query strings that are not hostnames. IBM X-Force ID: 187861.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-02T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated user with admin authorization to create DNS query strings that are not hostnames. IBM X-Force ID: 187861.",
  "id": "GHSA-4jch-x64f-4whq",
  "modified": "2022-05-24T17:43:27Z",
  "published": "2022-05-24T17:43:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4719"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/187861"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6417137"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4MH3-H929-W968

Vulnerability from github – Published: 2026-02-10 00:25 – Updated: 2026-02-10 02:56
VLAI
Summary
File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL
Details

Summary

An authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files.

Details

The vulnerability allows users to bypass "Disallow" rules defined by administrators.

The issue stems from how the application handles URL path normalization and rule matching:

  1. Router Configuration: The router in http/http.go is configured with r.SkipClean(true). This prevents the automatic collapse of multiple slashes (e.g., // becoming /) before the request reaches the handler.
  2. Insecure Rule Matching: The rule enforcement logic in rules/rules.go relies on a simple string prefix match: strings.HasPrefix(path, r.Path). If a rule disallows /private, a request for //private fails this check because //private does not strictly start with /private.
  3. Filesystem Resolution: After bypassing the rule check, the non-normalized path is passed to the filesystem. The filesystem treats the multiple slashes as a single separator, successfully resolving //private/secret.txt and serving the file.

PoC

Python minimal PoC

The following steps demonstrate the vulnerability: 1. Setup: - Admin user creates a folder /private and adds a file /private/secret.txt. Screenshot_20260123_151608 Screenshot_20260123_151551 - Admin adds a Disallow rule for user bob on the path /private. Screenshot_20260123_151502

  1. Verification:
  2. User bob requests GET /api/resources/private/secret.txt.
  3. Server responds: 403 Forbidden. Screenshot_20260123_154446
  4. Exploit:
  5. User bob requests GET /api/resources//private/secret.txt.
  6. Server responds: 200 OK (Bypass successful). Screenshot_20260123_154544 Screenshot_20260123_154618

Impact

This vulnerability impacts the confidentiality and integrity of data stored in filebrowser. - Confidentiality: Users can read files they are explicitly forbidden from accessing. - Integrity: If the user has general write permissions but is restricted from specific directories via rules, they can bypass these restrictions to rename, delete, or modify files.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.57.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.57.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T00:25:17Z",
    "nvd_published_at": "2026-02-09T22:16:03Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn authenticated user can bypass the application\u0027s \"Disallow\" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files.\n\n### Details\nThe vulnerability allows users to bypass \"Disallow\" rules defined by administrators.\n\nThe issue stems from how the application handles URL path normalization and rule matching:\n\n1. Router Configuration: The router in `http/http.go` is configured with `r.SkipClean(true)`. This prevents the automatic collapse of multiple slashes (e.g., // becoming /) before the request reaches the handler.\n2. Insecure Rule Matching: The rule enforcement logic in `rules/rules.go` relies on a simple string prefix match: `strings.HasPrefix(path, r.Path)`. If a rule disallows /private, a request for //private fails this check because //private does not strictly start with /private.\n3. Filesystem Resolution: After bypassing the rule check, the non-normalized path is passed to the filesystem. The filesystem treats the multiple slashes as a single separator, successfully resolving //private/secret.txt and serving the file.\n\n### PoC\n[Python minimal PoC](https://github.com/user-attachments/files/24823114/poc.py)\n\nThe following steps demonstrate the vulnerability:\n1. Setup:\n  - Admin user creates a folder /private and adds a file /private/secret.txt.\n\u003cimg width=\"971\" height=\"719\" alt=\"Screenshot_20260123_151608\" src=\"https://github.com/user-attachments/assets/2071c92e-2bbe-46f8-a338-05b0f53d381a\" /\u003e\n\u003cimg width=\"890\" height=\"386\" alt=\"Screenshot_20260123_151551\" src=\"https://github.com/user-attachments/assets/1def540a-de26-4666-a6ab-058d5927bfbe\" /\u003e\n  - Admin adds a Disallow rule for user bob on the path /private.\n\u003cimg width=\"1005\" height=\"1126\" alt=\"Screenshot_20260123_151502\" src=\"https://github.com/user-attachments/assets/e9b57d59-f4ab-41d8-b056-8ffdaa219963\" /\u003e\n\n2. Verification:\n  - User bob requests GET /api/resources/private/secret.txt.\n  - Server responds: 403 Forbidden.\n\u003cimg width=\"1193\" height=\"721\" alt=\"Screenshot_20260123_154446\" src=\"https://github.com/user-attachments/assets/dd092a10-2f8c-4a3c-b48f-d540c483bb5a\" /\u003e\n3. Exploit:\n  - User bob requests GET /api/resources//private/secret.txt.\n  - Server responds: 200 OK (Bypass successful).\n\u003cimg width=\"1193\" height=\"721\" alt=\"Screenshot_20260123_154544\" src=\"https://github.com/user-attachments/assets/27ebb82c-f7c2-467d-ae82-f495ae3aa2d4\" /\u003e\n\u003cimg width=\"1196\" height=\"818\" alt=\"Screenshot_20260123_154618\" src=\"https://github.com/user-attachments/assets/82035884-9a24-490d-b928-7bdd2dbe3193\" /\u003e\n\n\n### Impact\nThis vulnerability impacts the confidentiality and integrity of data stored in filebrowser.\n- Confidentiality: Users can read files they are explicitly forbidden from accessing.\n- Integrity: If the user has general write permissions but is restricted from specific directories via rules, they can bypass these restrictions to rename, delete, or modify files.",
  "id": "GHSA-4mh3-h929-w968",
  "modified": "2026-02-10T02:56:37Z",
  "published": "2026-02-10T00:25:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4mh3-h929-w968"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/489af403a19057f6b6b4b1dc0e48cbb26a202ef9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.57.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL"
}

GHSA-5278-2H8H-4P7C

Vulnerability from github – Published: 2025-04-01 06:30 – Updated: 2026-04-01 18:34
VLAI
Details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate allows PHP Local File Inclusion. This issue affects Essential Real Estate: from n/a through 5.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706",
      "CWE-98"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T06:15:53Z",
    "severity": "HIGH"
  },
  "details": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in g5theme Essential Real Estate allows PHP Local File Inclusion. This issue affects Essential Real Estate: from n/a through 5.2.0.",
  "id": "GHSA-5278-2h8h-4p7c",
  "modified": "2026-04-01T18:34:18Z",
  "published": "2025-04-01T06:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30849"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/essential-real-estate/vulnerability/wordpress-essential-real-estate-plugin-5-2-0-local-file-inclusion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-527R-MRH4-WX97

Vulnerability from github – Published: 2024-12-17 21:30 – Updated: 2024-12-18 18:30
VLAI
Details

An insecure direct object reference (IDOR) vulnerability was discovered in PHPGurukul Online Birth Certificate System v1.0. This vulnerability resides in the viewid parameter of /user/view-application-detail.php. Authenticated users can exploit this flaw by manipulating the viewid parameter in the URL to access sensitive birth certificate details of other users without proper authorization checks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-17T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An insecure direct object reference (IDOR) vulnerability was discovered in PHPGurukul Online Birth Certificate System v1.0. This vulnerability resides in the viewid parameter of /user/view-application-detail.php. Authenticated users can exploit this flaw by manipulating the viewid parameter in the URL to access sensitive birth certificate details of other users without proper authorization checks.",
  "id": "GHSA-527r-mrh4-wx97",
  "modified": "2024-12-18T18:30:51Z",
  "published": "2024-12-17T21:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SCR-athif/CVE/tree/main/CVE-2024-55058"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-55XG-H548-PGFP

Vulnerability from github – Published: 2022-11-22 00:30 – Updated: 2022-11-28 18:30
VLAI
Details

An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V2 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V2 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for \"Ghost\" domain names.",
  "id": "GHSA-55xg-h548-pgfp",
  "modified": "2022-11-28T18:30:16Z",
  "published": "2022-11-22T00:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30258"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-81"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-159: Redirect Access to Libraries

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

CAPEC-177: Create files with the same name as files protected with a higher classification

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.

CAPEC-48: Passing Local Filenames to Functions That Expect a URL

This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.

CAPEC-641: DLL Side-Loading

An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.