VYPR

CWE-31

Path Traversal: 'dir\..\..\filename'

VariantDraft

Description

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\..\..\filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (4)

  • CVE-2019-6268HigMar 8, 2024
    risk 0.49cvss 7.5epss 0.01

    RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.

  • CVE-2024-36857Jun 4, 2024
    risk 0.04cvss epss 0.02

    Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.

  • CVE-2024-2044Mar 7, 2024
    risk 0.02cvss epss 0.79

    pgAdmin <= 8.3 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server…

  • CVE-2024-22723Feb 28, 2024
    risk 0.00cvss epss 0.01

    Webtrees 2.1.18 is vulnerable to Directory Traversal. By manipulating the "media_folder" parameter in the URL, an attacker (in this case, an administrator) can navigate beyond the intended directory (the 'media/' directory) to access sensitive files in other parts of the…