CVE-2018-25408
Description
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename parameter to access files outside the intended directory, including configuration files and system files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Open ISES Project 3.30A (Tickets CAD) contains an unauthenticated path traversal vulnerability in ajax/download.php allowing arbitrary file download via the filename parameter.
Vulnerability
The Open ISES Project (also known as Tickets CAD) version 3.30A and earlier contains a path traversal vulnerability in the ajax/download.php endpoint. The filename parameter is not properly sanitized, allowing an attacker to supply directory traversal sequences such as ../ to access files outside the intended download directory. This affects all installations running version 3.30A or earlier [3].
Exploitation
An unauthenticated attacker with network access to the web server can exploit this vulnerability by sending a crafted HTTP GET request to ajax/download.php with a filename parameter containing ../ sequences. No authentication or user interaction is required. The attacker can systematically traverse directories to read arbitrary files on the server [3].
Impact
Successful exploitation allows the attacker to download arbitrary files from the server, including configuration files (e.g., database credentials, API keys) and system files (e.g., /etc/passwd). This leads to information disclosure, potentially compromising the entire application and underlying system. The confidentiality impact is high, while integrity and availability are not directly affected [3].
Mitigation
No official patch or workaround is disclosed in the available references. The project has since released version 3.44.1 (stable) and is developing v4.0 [2]; upgrading to the latest version may address the vulnerability, but this is not confirmed. Users should monitor the project's website for security updates and consider restricting access to the ajax/download.php endpoint via web server configuration until a fix is applied [3].
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =3.30A
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the filename parameter in ajax/download.php allows directory traversal."
Attack vector
An unauthenticated attacker sends a crafted HTTP request to the `ajax/download.php` endpoint, supplying `../` sequences in the `filename` parameter. This path traversal [CWE-22] allows the attacker to read arbitrary files on the server, including configuration and system files, without any authentication [ref_id=1].
Affected code
The vulnerability is in `ajax/download.php` of The Open ISES Project 3.30A. The `filename` parameter is not sanitized for directory traversal sequences, allowing access to files outside the intended directory.
What the fix does
The advisory does not provide a patch or specific remediation code. To fix the vulnerability, the application must validate and sanitize the `filename` parameter in `ajax/download.php`, rejecting any input containing directory traversal sequences like `../` and ensuring the resolved path stays within the intended download directory [ref_id=1].
Preconditions
- configThe target must be running The Open ISES Project version 3.30A or earlier.
- networkThe ajax/download.php endpoint must be reachable over the network.
- authNo authentication is required.
- inputThe attacker supplies ../ sequences in the filename parameter.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.