VYPR

CWE-552

Files or Directories Accessible to External Parties

BaseDraft

Description

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-150 · CAPEC-639

CVEs mapped to this weakness (182)

page 8 of 10
  • CVE-2025-21609Jan 3, 2025
    risk 0.00cvss epss 0.01

    SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this…

  • CVE-2024-51058Nov 26, 2024
    risk 0.00cvss epss 0.01

    Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through src tag, potentially exposing sensitive information.

  • CVE-2024-52292Nov 13, 2024
    risk 0.00cvss epss 0.01

    Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By…

  • CVE-2023-49198Aug 21, 2024
    risk 0.00cvss epss 0.01

    Mysql security vulnerability in Apache SeaTunnel. Attackers can read files on the MySQL server by modifying the information in the MySQL URL allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360 This issue affects Apache…

  • CVE-2024-27182Aug 2, 2024
    risk 0.00cvss epss 0.01

    In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue.

  • CVE-2024-40767Jul 24, 2024
    risk 0.00cvss epss 0.01

    In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of…

  • CVE-2023-41916Jul 15, 2024
    risk 0.00cvss epss 0.01

    In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted.…

  • CVE-2024-32498Jul 5, 2024
    risk 0.00cvss epss 0.01

    An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may…

  • CVE-2024-5262Jun 5, 2024
    risk 0.00cvss epss 0.01

    Files or Directories Accessible to External Parties vulnerability in smb server in ProjectDiscovery Interactsh allows remote attackers to read/write any files in the directory and subdirectories of where the victim runs interactsh-server via anonymous login.

  • CVE-2024-34066May 3, 2024
    risk 0.00cvss epss 0.01

    Pterodactyl wings is the server control plane for Pterodactyl Panel. If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is…

  • CVE-2023-50164Dec 7, 2023
    risk 0.00cvss epss 0.81

    An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or…

  • CVE-2023-29931Jun 22, 2023
    risk 0.00cvss epss 0.01

    laravel-s 3.7.35 is vulnerable to Local File Inclusion via /src/Illuminate/Laravel.php.

  • CVE-2023-2976Jun 14, 2023
    risk 0.00cvss epss 0.00

    Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able…

  • CVE-2023-33568Jun 13, 2023
    risk 0.00cvss epss 0.15

    An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.

  • CVE-2023-32684May 30, 2023
    risk 0.00cvss epss 0.00

    Lima launches Linux virtual machines, typically on macOS, for running containerd. Prior to version 0.16.0, a virtual machine instance with a malicious disk image could read a single file on the host filesystem, even when no filesystem is mounted from the host. The official…

  • CVE-2023-31064May 22, 2023
    risk 0.00cvss epss 0.01

    Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. the user in InLong could cancel an application that doesn't belongs to it. Users are advised to upgrade to…

  • CVE-2023-31066May 22, 2023
    risk 0.00cvss epss 0.01

    Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Different users in InLong could delete, edit, stop, and start others' sources! Users are advised to upgrade…

  • CVE-2022-47950Jan 18, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to…

  • CVE-2022-23508Jan 9, 2023
    risk 0.00cvss epss 0.00

    Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in GitOps run could allow a local user or process to alter a Kubernetes cluster's resources. GitOps run has a local S3…

  • CVE-2022-45129Nov 10, 2022
    risk 0.00cvss epss 0.01

    Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara…