CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-MV2P-XXQX-RG9J
Vulnerability from github – Published: 2023-06-16 18:30 – Updated: 2024-04-04 04:55jfinal CMS 5.1.0 has an arbitrary file read vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-34645"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-16T18:15:09Z",
"severity": "HIGH"
},
"details": "jfinal CMS 5.1.0 has an arbitrary file read vulnerability.",
"id": "GHSA-mv2p-xxqx-rg9j",
"modified": "2024-04-04T04:55:10Z",
"published": "2023-06-16T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34645"
},
{
"type": "WEB",
"url": "https://github.com/jflyfox/jfinal_cms/issues/57"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MV68-J39W-7QFQ
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter.
{
"affected": [],
"aliases": [
"CVE-2020-27368"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-14T16:15:00Z",
"severity": "MODERATE"
},
"details": "Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter.",
"id": "GHSA-mv68-j39w-7qfq",
"modified": "2022-05-24T17:39:17Z",
"published": "2022-05-24T17:39:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27368"
},
{
"type": "WEB",
"url": "https://github.com/swzhouu/CVE-2020-27368"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MWFM-2CM9-PFHJ
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint.
{
"affected": [],
"aliases": [
"CVE-2021-35203"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-30T18:15:00Z",
"severity": "MODERATE"
},
"details": "NETSCOUT Systems nGeniusONE 6.3.0 build 1196 allows Arbitrary File Read operations via the FDSQueryService endpoint.",
"id": "GHSA-mwfm-2cm9-pfhj",
"modified": "2022-05-24T19:16:10Z",
"published": "2022-05-24T19:16:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35203"
},
{
"type": "WEB",
"url": "https://www.netscout.com/securityadvisories"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P25H-W2RQ-V3CW
Vulnerability from github – Published: 2024-10-11 18:32 – Updated: 2024-10-16 00:30A directory listing issue in the baserCMS plugin in D-ZERO CO., LTD. BurgerEditor and BurgerEditor Limited Edition before 2.25.1 allows remote attackers to obtain sensitive information by exposing a list of the uploaded files.
{
"affected": [],
"aliases": [
"CVE-2024-44807"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-11T18:15:08Z",
"severity": "MODERATE"
},
"details": "A directory listing issue in the baserCMS plugin in D-ZERO CO., LTD. BurgerEditor and BurgerEditor Limited Edition before 2.25.1 allows remote attackers to obtain sensitive information by exposing a list of the uploaded files.",
"id": "GHSA-p25h-w2rq-v3cw",
"modified": "2024-10-16T00:30:57Z",
"published": "2024-10-11T18:32:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44807"
},
{
"type": "WEB",
"url": "https://burger.d-zero.co.jp/blogs/archives/2"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN54676967"
},
{
"type": "WEB",
"url": "https://jvn.jp/jp/JVN54676967"
},
{
"type": "WEB",
"url": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000109.html"
},
{
"type": "WEB",
"url": "http://basercms.com"
},
{
"type": "WEB",
"url": "http://burgereditor.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P39H-6928-4FQ5
Vulnerability from github – Published: 2023-08-03 18:30 – Updated: 2024-04-04 06:31An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.
{
"affected": [],
"aliases": [
"CVE-2023-38948"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-03T16:15:12Z",
"severity": "HIGH"
},
"details": "An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.",
"id": "GHSA-p39h-6928-4fq5",
"modified": "2024-04-04T06:31:58Z",
"published": "2023-08-03T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38948"
},
{
"type": "WEB",
"url": "https://gitee.com/CTF-hacker/pwn/issues/I7LI4E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P4Q4-268X-8WF9
Vulnerability from github – Published: 2023-08-03 12:31 – Updated: 2024-04-04 06:31In multiple Codesys products in multiple versions, after successful authentication as a user, specially crafted network communication requests can utilize the CmpApp component to download files with any file extensions to the controller. In contrast to the regular file download via CmpFileTransfer, no filtering of certain file types is performed here. As a result, the integrity of the CODESYS control runtime system may be compromised by the files loaded onto the controller.
{
"affected": [],
"aliases": [
"CVE-2023-37551"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-03T12:15:10Z",
"severity": "MODERATE"
},
"details": "In multiple Codesys products in multiple versions, after successful authentication as a user, specially crafted network communication requests can utilize the CmpApp component to download files with any file extensions to the controller. In contrast to the regular file download via CmpFileTransfer, no filtering of certain file types is performed here. As a result, the integrity of the CODESYS control runtime system may be compromised by the files loaded onto the controller.",
"id": "GHSA-p4q4-268x-8wf9",
"modified": "2024-04-04T06:31:05Z",
"published": "2023-08-03T12:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37551"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2023-019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P4RQ-6JPQ-3WQJ
Vulnerability from github – Published: 2025-09-02 21:30 – Updated: 2025-09-02 21:30CData API Server MySQL Misconfiguration Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of CData API Server. Authentication is required to exploit this vulnerability.
The specific flaw exists within the usage of MySQL connections. When connecting to a MySQL server, the product enables an option that gives the MySQL server permission to request local files from the MySQL client. An attacker can leverage this vulnerability to disclose information in the context of NETWORK SERVICE. Was ZDI-CAN-23950.
{
"affected": [],
"aliases": [
"CVE-2025-9273"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-02T20:15:39Z",
"severity": "MODERATE"
},
"details": "CData API Server MySQL Misconfiguration Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of CData API Server. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the usage of MySQL connections. When connecting to a MySQL server, the product enables an option that gives the MySQL server permission to request local files from the MySQL client. An attacker can leverage this vulnerability to disclose information in the context of NETWORK SERVICE. Was ZDI-CAN-23950.",
"id": "GHSA-p4rq-6jpq-3wqj",
"modified": "2025-09-02T21:30:59Z",
"published": "2025-09-02T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9273"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-852"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P58C-Q354-6C4F
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-18 14:51Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.
User-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting api_url, exploiting the chat path and model-list endpoints.
Fix restricts api_key_file to the user's private storage (server mode) or home directory (desktop mode), enforces a printable-ASCII key shape and a 1024-byte read cap, and gates api_url against a configurable allow-list (config.ALLOWED_LLM_API_URLS) at every entry point.
This issue affects pgAdmin 4: before 9.15.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pgadmin4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-7817"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T14:51:08Z",
"nvd_published_at": "2026-05-11T16:17:38Z",
"severity": "HIGH"
},
"details": "Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.\n\nUser-supplied api_key_file and api_url preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by pointing api_key_file at any path readable by the pgAdmin process, or coerce pgAdmin into making requests to internal targets (e.g. cloud metadata services such as 169.254.169.254) by setting api_url, exploiting the chat path and model-list endpoints.\n\nFix restricts api_key_file to the user\u0027s private storage (server mode) or home directory (desktop mode), enforces a printable-ASCII key shape and a 1024-byte read cap, and gates api_url against a configurable allow-list (config.ALLOWED_LLM_API_URLS) at every entry point.\n\nThis issue affects pgAdmin 4: before 9.15.",
"id": "GHSA-p58c-q354-6c4f",
"modified": "2026-05-18T14:51:08Z",
"published": "2026-05-11T18:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7817"
},
{
"type": "WEB",
"url": "https://github.com/pgadmin-org/pgadmin4/issues/9900"
},
{
"type": "WEB",
"url": "https://github.com/pgadmin-org/pgadmin4/commit/24485fe96"
},
{
"type": "PACKAGE",
"url": "https://github.com/pgadmin-org/pgadmin4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "pgAdmin 4 contains local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities"
}
GHSA-P7F5-95M3-2FW7
Vulnerability from github – Published: 2023-11-06 21:31 – Updated: 2023-11-14 18:30The Front End PM WordPress plugin before 11.4.3 does not block listing the contents of the directories where it stores attachments to private messages, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled.
{
"affected": [],
"aliases": [
"CVE-2023-4930"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-06T21:15:09Z",
"severity": "MODERATE"
},
"details": "The Front End PM WordPress plugin before 11.4.3 does not block listing the contents of the directories where it stores attachments to private messages, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled.",
"id": "GHSA-p7f5-95m3-2fw7",
"modified": "2023-11-14T18:30:23Z",
"published": "2023-11-06T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4930"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/c73b3276-e6f1-4f22-a888-025e5d0504f2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P7HH-R4JX-72FM
Vulnerability from github – Published: 2024-07-22 21:30 – Updated: 2024-09-10 21:31Files on the Windows system are accessible without authentication to external parties due to a local file inclusion in PerkinElmer ProcessPlus.This issue affects ProcessPlus: through 1.11.6507.0.
{
"affected": [],
"aliases": [
"CVE-2024-6911"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-22T21:15:05Z",
"severity": "HIGH"
},
"details": "Files on the Windows system are accessible without authentication to external parties due to a local file inclusion in PerkinElmer ProcessPlus.This issue affects ProcessPlus: through 1.11.6507.0.",
"id": "GHSA-p7hh-r4jx-72fm",
"modified": "2024-09-10T21:31:38Z",
"published": "2024-07-22T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6911"
},
{
"type": "WEB",
"url": "https://cyberdanube.com/en/en-multiple-vulnerabilities-in-perten-processplus"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.