CWE-36
AllowedAbsolute Path Traversal
Abstraction: Base · Status: Draft
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
245 vulnerabilities reference this CWE, most recent first.
GHSA-4X5P-F63M-RVRP
Vulnerability from github – Published: 2026-05-28 06:31 – Updated: 2026-05-28 06:31A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server.
{
"affected": [],
"aliases": [
"CVE-2026-32997"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T05:16:35Z",
"severity": "HIGH"
},
"details": "A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup \u0026 Replication server.",
"id": "GHSA-4x5p-f63m-rvrp",
"modified": "2026-05-28T06:31:08Z",
"published": "2026-05-28T06:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32997"
},
{
"type": "WEB",
"url": "https://www.veeam.com/kb4852"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-54VC-PH3H-X39X
Vulnerability from github – Published: 2026-05-05 03:31 – Updated: 2026-05-05 03:31An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);
{
"affected": [],
"aliases": [
"CVE-2026-44029"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T01:16:07Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via \"nix-prefetch-url --unpack\" or \"nix store prefetch-file --unpack\" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7);",
"id": "GHSA-54vc-ph3h-x39x",
"modified": "2026-05-05T03:31:41Z",
"published": "2026-05-05T03:31:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44029"
},
{
"type": "WEB",
"url": "https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/05/04/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-577F-9HHG-FC2W
Vulnerability from github – Published: 2024-06-18 06:30 – Updated: 2024-08-13 21:31Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server may be retrieved by an unauthenticated remote attacker.
{
"affected": [],
"aliases": [
"CVE-2024-33620"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-18T06:15:11Z",
"severity": "HIGH"
},
"details": "Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server may be retrieved by an unauthenticated remote attacker.",
"id": "GHSA-577f-9hhg-fc2w",
"modified": "2024-08-13T21:31:55Z",
"published": "2024-06-18T06:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33620"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN65171386"
},
{
"type": "WEB",
"url": "https://www.fujitsu.com/jp/group/fsas/about/resources/security/2024/0617.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5C9M-MVH3-55FH
Vulnerability from github – Published: 2023-07-18 18:30 – Updated: 2024-04-04 06:14Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a directory traversal vulnerability that could allow an unauthenticated user to directly access any file outside the webroot.
{
"affected": [],
"aliases": [
"CVE-2023-33871"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-18T18:15:12Z",
"severity": "HIGH"
},
"details": "Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a directory traversal vulnerability that could allow an unauthenticated user to directly access any file outside the webroot.",
"id": "GHSA-5c9m-mvh3-55fh",
"modified": "2024-04-04T06:14:18Z",
"published": "2023-07-18T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33871"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5FWX-95CC-HCXV
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-10-22 00:33Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-13161"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:26Z",
"severity": "CRITICAL"
},
"details": "Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.",
"id": "GHSA-5fwx-95cc-hcxv",
"modified": "2025-10-22T00:33:12Z",
"published": "2025-01-14T18:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13161"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161"
},
{
"type": "WEB",
"url": "https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5GPR-W2P5-6M37
Vulnerability from github – Published: 2024-10-07 15:57 – Updated: 2025-03-06 18:12Summary
It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted php://filter URLs an attacker can leak the contents of any file or URL.
Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4, and resides in a different component.
Details
When an XLSX file is opened, the XLSX reader calls setPath() with the path provided in the xl/drawings/_rels/drawing1.xml.rels file in the XLSX archive:
if (isset($images[$embedImageKey])) {
// ...omit irrelevant code...
} else {
$linkImageKey = (string) self::getArrayItem(
$blip->attributes('http://schemas.openxmlformats.org/officeDocument/2006/relationships'),
'link'
);
if (isset($images[$linkImageKey])) {
$url = str_replace('xl/drawings/', '', $images[$linkImageKey]);
$objDrawing->setPath($url);
}
}
setPath() then reads the file in order to determine the file type and dimensions, if the path is a URL:
public function setPath(string $path, bool $verifyFile = true, ?ZipArchive $zip = null): static
{
if ($verifyFile && preg_match('~^data:image/[a-z]+;base64,~', $path) !== 1) {
// Check if a URL has been passed. https://stackoverflow.com/a/2058596/1252979
if (filter_var($path, FILTER_VALIDATE_URL)) {
$this->path = $path;
// Implicit that it is a URL, rather store info than running check above on value in other places.
$this->isUrl = true;
$imageContents = file_get_contents($path);
// ... check dimensions etc. ...
It's important to note here, that filter_var considers also file:// and php:// URLs valid.
The attacker can set the path to anything:
<Relationship Id="rId1"
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
Target="this can be whatever" />
The contents of the file are not made available for the attacker directly. However, using PHP filter URLs it's possible to construct an error oracle which leaks a file or URL contents one character at a time. The error oracle was originally invented by @hash_kitten, and the folks at Synacktiv have developed a nice tool for easily exploiting those: https://github.com/synacktiv/php_filter_chains_oracle_exploit
PoC
Target file:
<?php
require 'vendor/autoload.php';
// Attack part: this would actually be done by the attacker on their machine and the resulting XLSX uploaded, but to
// keep the PoC simple, I've combined this into the same file.
$file = "book_tampered.xlsx";
$payload = $_POST["payload"]; // the payload comes from the Python script
copy("book.xlsx",$file);
$zip = new ZipArchive;
$zip->open($file);
$path = "xl/drawings/_rels/drawing1.xml.rels";
$content = $zip->getFromName($path);
$content = str_replace("../media/image1.gif", $payload, $content);
$zip->addFromString($path, $content);
$path = "xl/drawings/drawing1.xml";
$content = $zip->getFromName($path);
$content = str_replace('r:embed="rId1"', 'r:link="rId1"', $content);
$zip->addFromString($path, $content);
$zip->close();
// The actual target - note that simply opening the file is sufficient for the attack
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/' . $file);
Add this file in the same directory: book.xlsx
Serve the PoC from a web server. Ensure your PHP memory limit is <= 128M - otherwise you'll need to edit the Python script below.
Download the error oracle Python script from here: https://github.com/synacktiv/php_filter_chains_oracle_exploit. If your memory limit is greater than 128M, you'll need to edit the Python script's bruteforcer.py file to change self.blow_up_inf = self.join(*[self.blow_up_utf32]*15) to self.blow_up_inf = self.join(*[self.blow_up_utf32]*20). This is needed so that it generates large-enough payloads to trigger the out of memory errors the oracle relies on. Also install the script's dependencies with pip.
Then run the Python script with:
python3 filters_chain_oracle_exploit.py --target [URL of the script] --parameter payload --file /etc/passwd
Note that the attack relies on certain character encodings being supported by the system's iconv library, because PHP uses that. As far as I know, most Linux distributions have them, but notably MacOS does not. So if you're developing on a Mac, you'll want to run your server in a virtual machine with Linux.
Here's the results I got after about a minute of bruteforcing:
Impact
An attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpexcel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45290"
],
"database_specific": {
"cwe_ids": [
"CWE-36",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-07T15:57:38Z",
"nvd_published_at": "2024-10-07T21:15:17Z",
"severity": "HIGH"
},
"details": "### Summary\n\nIt\u0027s possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL.\n\nNote that this vulnerability is different from [GHSA-w9xv-qf98-ccq4](https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4), and resides in a different component.\n\n### Details\n\nWhen an XLSX file is opened, the XLSX reader calls `setPath()` with the path provided in the `xl/drawings/_rels/drawing1.xml.rels` file in the XLSX archive:\n\n```php\nif (isset($images[$embedImageKey])) {\n // ...omit irrelevant code...\n} else {\n $linkImageKey = (string) self::getArrayItem(\n $blip-\u003eattributes(\u0027http://schemas.openxmlformats.org/officeDocument/2006/relationships\u0027),\n \u0027link\u0027\n );\n if (isset($images[$linkImageKey])) {\n $url = str_replace(\u0027xl/drawings/\u0027, \u0027\u0027, $images[$linkImageKey]);\n $objDrawing-\u003esetPath($url);\n }\n}\n```\n\n`setPath()` then reads the file in order to determine the file type and dimensions, if the path is a URL:\n\n```php\npublic function setPath(string $path, bool $verifyFile = true, ?ZipArchive $zip = null): static\n{\n if ($verifyFile \u0026\u0026 preg_match(\u0027~^data:image/[a-z]+;base64,~\u0027, $path) !== 1) {\n // Check if a URL has been passed. https://stackoverflow.com/a/2058596/1252979\n if (filter_var($path, FILTER_VALIDATE_URL)) {\n $this-\u003epath = $path;\n // Implicit that it is a URL, rather store info than running check above on value in other places.\n $this-\u003eisUrl = true;\n $imageContents = file_get_contents($path);\n // ... check dimensions etc. ...\n```\n\nIt\u0027s important to note here, that `filter_var` considers also `file://` and `php://` URLs valid.\n\nThe attacker can set the path to anything:\n\n```xml\n\u003cRelationship Id=\"rId1\"\n Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/image\"\n Target=\"this can be whatever\" /\u003e\n```\n\nThe contents of the file are not made available for the attacker directly. However, using PHP filter URLs it\u0027s possible to construct an [error oracle](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle) which leaks a file or URL contents one character at a time. The error oracle was originally invented by @hash_kitten, and the folks at Synacktiv have developed a nice tool for easily exploiting those: https://github.com/synacktiv/php_filter_chains_oracle_exploit\n\n### PoC\n\nTarget file:\n\n```php\n\u003c?php\n\nrequire \u0027vendor/autoload.php\u0027;\n\n// Attack part: this would actually be done by the attacker on their machine and the resulting XLSX uploaded, but to\n// keep the PoC simple, I\u0027ve combined this into the same file.\n\n$file = \"book_tampered.xlsx\";\n$payload = $_POST[\"payload\"]; // the payload comes from the Python script\n\ncopy(\"book.xlsx\",$file);\n$zip = new ZipArchive;\n$zip-\u003eopen($file);\n\n$path = \"xl/drawings/_rels/drawing1.xml.rels\";\n$content = $zip-\u003egetFromName($path);\n$content = str_replace(\"../media/image1.gif\", $payload, $content);\n$zip-\u003eaddFromString($path, $content);\n\n$path = \"xl/drawings/drawing1.xml\";\n$content = $zip-\u003egetFromName($path);\n$content = str_replace(\u0027r:embed=\"rId1\"\u0027, \u0027r:link=\"rId1\"\u0027, $content);\n$zip-\u003eaddFromString($path, $content);\n\n$zip-\u003eclose();\n\n// The actual target - note that simply opening the file is sufficient for the attack\n\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader(\"Xlsx\");\n$spreadsheet = $reader-\u003eload(__DIR__ . \u0027/\u0027 . $file);\n\n```\n\nAdd this file in the same directory:\n[book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15213296/book.xlsx)\n\nServe the PoC from a web server. Ensure your PHP memory limit is \u003c= 128M - otherwise you\u0027ll need to edit the Python script below.\n\nDownload the error oracle Python script from here: https://github.com/synacktiv/php_filter_chains_oracle_exploit. If your memory limit is greater than 128M, you\u0027ll need to edit the Python script\u0027s `bruteforcer.py` file to change `self.blow_up_inf = self.join(*[self.blow_up_utf32]*15)` to `self.blow_up_inf = self.join(*[self.blow_up_utf32]*20)`. This is needed so that it generates large-enough payloads to trigger the out of memory errors the oracle relies on. Also install the script\u0027s dependencies with `pip`.\n\nThen run the Python script with:\n```\npython3 filters_chain_oracle_exploit.py --target [URL of the script] --parameter payload --file /etc/passwd\n```\n\nNote that the attack relies on certain character encodings being supported by the system\u0027s `iconv` library, because PHP uses that. As far as I know, most Linux distributions have them, but notably MacOS does not. So if you\u0027re developing on a Mac, you\u0027ll want to run your server in a virtual machine with Linux.\n\nHere\u0027s the results I got after about a minute of bruteforcing:\n\n\n\n### Impact\n\nAn attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials.",
"id": "GHSA-5gpr-w2p5-6m37",
"modified": "2025-03-06T18:12:43Z",
"published": "2024-10-07T15:57:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-5gpr-w2p5-6m37"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45290"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/a9693d1182df6695c14bc5d74315ac71a3398e5a"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/d95bc290beb137d4118095b96f62ec47e0205cec"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/e04ed222b36fd5fd6fed0c10c765c2b68effb465"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file"
}
GHSA-5WV7-58X2-44RH
Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-06-06 21:30A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del_preset' endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences ('..'). As a result, an attacker can send a specially crafted request to the 'del_preset' endpoint to delete files outside of the intended directory.
{
"affected": [],
"aliases": [
"CVE-2024-2362"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-06T19:15:54Z",
"severity": "CRITICAL"
},
"details": "A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the \u0027del_preset\u0027 endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences (\u0027..\u0027). As a result, an attacker can send a specially crafted request to the \u0027del_preset\u0027 endpoint to delete files outside of the intended directory.",
"id": "GHSA-5wv7-58x2-44rh",
"modified": "2024-06-06T21:30:36Z",
"published": "2024-06-06T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2362"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/2433d0a4-9ba0-474b-be1a-6fd5019770ba"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-636V-W45R-96QJ
Vulnerability from github – Published: 2024-07-29 21:30 – Updated: 2024-08-05 12:31An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Remote unauthenticated attackers can upload files at an arbitrary path.
{
"affected": [],
"aliases": [
"CVE-2024-28806"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T19:15:12Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. Remote unauthenticated attackers can upload files at an arbitrary path.",
"id": "GHSA-636v-w45r-96qj",
"modified": "2024-08-05T12:31:15Z",
"published": "2024-07-29T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28806"
},
{
"type": "WEB",
"url": "https://www.gruppotim.it/it/footer/red-team.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-694V-63FQ-FMR4
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-18 19:57Scout is a Variant Call Format (VCF) visualization interface. The Pypi package scout-browser is vulnerable to path traversal due to send_file call in versions prior to 4.52.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "scout-browser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.52"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1554"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-36"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-18T19:57:37Z",
"nvd_published_at": "2022-05-03T09:15:00Z",
"severity": "MODERATE"
},
"details": "Scout is a Variant Call Format (VCF) visualization interface. The Pypi package `scout-browser` is vulnerable to path traversal due to `send_file` call in versions prior to 4.52.",
"id": "GHSA-694v-63fq-fmr4",
"modified": "2022-05-18T19:57:37Z",
"published": "2022-05-04T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1554"
},
{
"type": "WEB",
"url": "https://github.com/Clinical-Genomics/scout/issues/3128"
},
{
"type": "WEB",
"url": "https://github.com/Clinical-Genomics/scout/issues/3302"
},
{
"type": "WEB",
"url": "https://github.com/Clinical-Genomics/scout/pull/3303"
},
{
"type": "WEB",
"url": "https://github.com/clinical-genomics/scout/commit/952a2e2319af2d95d22b017a561730feac086ff1"
},
{
"type": "PACKAGE",
"url": "https://github.com/clinical-genomics/scout"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/7acac778-5ba4-4f02-99e2-e4e17a81e600"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Path Traversal in scout-browser"
}
GHSA-6CC2-6PX5-RX9P
Vulnerability from github – Published: 2025-11-17 21:31 – Updated: 2025-11-17 21:31IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system.
{
"affected": [],
"aliases": [
"CVE-2025-36357"
],
"database_specific": {
"cwe_ids": [
"CWE-36"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-17T20:15:51Z",
"severity": "HIGH"
},
"details": "IBM Planning Analytics Local 2.1.0 through 2.1.14 could allow a remote authenticated user to traverse directories on the system. An attacker could send a specially crafted URL request containing absolute path sequences to view, read, or write arbitrary files on the system.",
"id": "GHSA-6cc2-6px5-rx9p",
"modified": "2025-11-17T21:31:25Z",
"published": "2025-11-17T21:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36357"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7251265"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-597: Absolute Path Traversal
An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.