VYPR

CWE-552

Files or Directories Accessible to External Parties

BaseDraft

Description

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-150 · CAPEC-639

CVEs mapped to this weakness (182)

page 6 of 10
  • CVE-2025-58152MedOct 31, 2025
    risk 0.34cvss 5.3epss 0.00

    FutureNet MA and IP-K series provided by Century Systems Co., Ltd. put the firmware version and the garbage collection information on the internal web page. With some crafted HTTP request, they can be accessed without authentication.

  • CVE-2025-52460MedAug 28, 2025
    risk 0.34cvss 5.3epss 0.00

    Files or directories accessible to external parties issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If exploited, uploaded files and SS1 configuration files may be accessed by a remote unauthenticated attacker.

  • CVE-2024-9945MedDec 13, 2024
    risk 0.34cvss 5.3epss 0.00

    An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders.

  • CVE-2024-8655MedSep 10, 2024
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has been classified as problematic. This affects an unknown part of the file /web-static/. The manipulation leads to files or directories accessible. It is possible to initiate the attack remotely. The exploit has…

  • CVE-2024-5587MedJun 2, 2024
    risk 0.34cvss 5.3epss 0.00

    A vulnerability was found in Casdoor up to 1.335.0. It has been classified as problematic. Affected is an unknown function of the file /conf/app.conf of the component Configuration File Handler. The manipulation leads to files or directories accessible. It is possible to launch…

  • CVE-2017-6774MedAug 17, 2017
    risk 0.33cvss 5.0epss 0.01

    A vulnerability in Cisco ASR 5000 Series Aggregated Services Routers running the Cisco StarOS operating system could allow an authenticated, remote attacker to overwrite or modify sensitive system files. The vulnerability is due to the inclusion of sensitive system files within…

  • CVE-2026-42063MedMay 13, 2026
    risk 0.32cvss 4.9epss 0.00

    A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-6418MedMay 5, 2026
    risk 0.32cvss 4.9epss 0.00

    An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an…

  • CVE-2017-7737MedAug 10, 2017
    risk 0.32cvss 4.9epss 0.01

    An information disclosure vulnerability in Fortinet FortiWeb 5.8.2 and below versions allows logged-in admin user to view SNMPv3 user password in cleartext in webui via the HTML source code.

  • CVE-2024-29225MedApr 4, 2024
    risk 0.28cvss 4.3epss 0.00

    ELECOM wireless LAN routers allow a network-adjacent unauthenticated attacker to obtain the configuration file containing sensitive information by sending a specially crafted request.

  • CVE-2017-1602MedMar 23, 2018
    risk 0.28cvss 4.3epss 0.01

    IBM RSA DM (IBM Rational Collaborative Lifecycle Management 5.0 and 6.0) could allow an authenticated user to access settings that they should not be able to using a specially crafted URL. IBM X-Force ID: 132625.

  • CVE-2026-45543MedJun 1, 2026
    risk 0.27cvss 5.3epss 0.00

    Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user…

  • CVE-2025-12648MedJan 7, 2026
    risk 0.27cvss 5.3epss 0.00

    The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing…

  • CVE-2025-12747MedNov 21, 2025
    risk 0.27cvss 5.3epss 0.00

    The Tainacan plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via uploaded files marked as private being exposed in wp-content without adequate protection. This makes it possible for unauthenticated attackers to extract…

  • CVE-2025-12894MedNov 21, 2025
    risk 0.27cvss 5.3epss 0.00

    The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible…

  • CVE-2025-4634MedMay 30, 2025
    risk 0.27cvss 4.1epss 0.00

    The web portal on airpointer 2.4.107-2 was vulnerable local file inclusion. A malicious user with administrative privileges in the web portal would be able to manipulate requests to view files on the filesystem

  • CVE-2024-49756MedOct 23, 2024
    risk 0.27cvss 5.3epss 0.01

    AshPostgres is the PostgreSQL data layer for Ash Framework. Starting in version 2.0.0 and prior to version 2.4.10, in certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on "empty" update actions (no changing…

  • CVE-2025-15153LowDec 28, 2025
    risk 0.24cvss 3.7epss 0.00

    A weakness has been identified in PbootCMS up to 3.2.12. Impacted is an unknown function of the file /data/pbootcms.db of the component SQLite Database. Executing a manipulation can lead to files or directories accessible. It is possible to launch the attack remotely. Attacks of…

  • CVE-2025-14697LowDec 15, 2025
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this issue is some unknown functionality of the file /ExportFiles/. The manipulation results in files or directories accessible. The attack may…

  • CVE-2020-17519KEVJan 5, 2021
    risk 0.23cvss epss 0.98

    A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager…