CWE-24
AllowedPath Traversal: '../filedir'
Abstraction: Variant · Status: Incomplete
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
187 vulnerabilities reference this CWE, most recent first.
GHSA-6M8G-7XRR-8Q5F
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.
{
"affected": [],
"aliases": [
"CVE-2026-49103"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T15:16:34Z",
"severity": "CRITICAL"
},
"details": "Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi.",
"id": "GHSA-6m8g-7xrr-8q5f",
"modified": "2026-05-27T15:33:28Z",
"published": "2026-05-27T15:33:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49103"
},
{
"type": "WEB",
"url": "https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1"
},
{
"type": "WEB",
"url": "https://github.com/webmin/webmin/compare/2.630...2.640"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6V3V-M4WM-CHJF
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00The tested version of Dominion Voting System ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS.
{
"affected": [],
"aliases": [
"CVE-2022-1743"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T15:15:00Z",
"severity": "HIGH"
},
"details": "The tested version of Dominion Voting System ImageCast X can be manipulated to cause arbitrary code execution by specially crafted election definition files. An attacker could leverage this vulnerability to spread malicious code to ImageCast X devices from the EMS.",
"id": "GHSA-6v3v-m4wm-chjf",
"modified": "2022-07-07T00:00:29Z",
"published": "2022-06-25T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1743"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-764P-G9XX-6QM8
Vulnerability from github – Published: 2025-04-20 03:50 – Updated: 2025-04-20 03:50In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing.
{
"affected": [],
"aliases": [
"CVE-2025-43928"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-20T03:15:35Z",
"severity": "MODERATE"
},
"details": "In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing.",
"id": "GHSA-764p-g9xx-6qm8",
"modified": "2025-04-20T03:50:41Z",
"published": "2025-04-20T03:50:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43928"
},
{
"type": "WEB",
"url": "https://cfp.eh22.easterhegg.eu/eh22/talk/9UDXSE"
},
{
"type": "WEB",
"url": "https://mint-secure.de/path-traversal-vulnerability-in-surveillance-software"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-77RV-VMXX-P9GP
Vulnerability from github – Published: 2025-08-05 00:30 – Updated: 2025-08-05 00:30LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript.
{
"affected": [],
"aliases": [
"CVE-2025-46094"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-04T23:15:28Z",
"severity": "LOW"
},
"details": "LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript.",
"id": "GHSA-77rv-vmxx-p9gp",
"modified": "2025-08-05T00:30:26Z",
"published": "2025-08-05T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46094"
},
{
"type": "WEB",
"url": "https://docs.liquidfiles.com/release_notes/version_4-1-x.html"
},
{
"type": "WEB",
"url": "https://projectblack.io/blog/liquidfiles-vulnerability-authenticated-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-78J5-8VQ7-JXV5
Vulnerability from github – Published: 2025-09-04 15:30 – Updated: 2025-09-05 15:33When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/usememos/memos"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-56760"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-05T15:33:36Z",
"nvd_published_at": "2025-09-03T17:15:34Z",
"severity": "MODERATE"
},
"details": "When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.",
"id": "GHSA-78j5-8vq7-jxv5",
"modified": "2025-09-05T15:33:36Z",
"published": "2025-09-04T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56760"
},
{
"type": "PACKAGE",
"url": "https://github.com/usememos/memos"
},
{
"type": "WEB",
"url": "https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48"
},
{
"type": "WEB",
"url": "https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Memos Vulnerable to Path Traversal via the CreateResource Endpoint"
}
GHSA-7RF6-522Q-9WQ4
Vulnerability from github – Published: 2022-12-27 09:30 – Updated: 2023-01-06 06:30A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler. The manipulation of the argument uri leads to path traversal: '../filedir'. The attack may be initiated remotely. The name of the patch is 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216863.
{
"affected": [],
"aliases": [
"CVE-2019-25087"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-27T09:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in RamseyK httpserver. It has been rated as critical. This issue affects the function ResourceHost::getResource of the file src/ResourceHost.cpp of the component URI Handler. The manipulation of the argument uri leads to path traversal: \u0027../filedir\u0027. The attack may be initiated remotely. The name of the patch is 1a0de56e4dafff9c2f9c8f6b130a764f7a50df52. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216863.",
"id": "GHSA-7rf6-522q-9wq4",
"modified": "2023-01-06T06:30:25Z",
"published": "2022-12-27T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25087"
},
{
"type": "WEB",
"url": "https://github.com/RamseyK/httpserver/commit/1a0de56e4dafff9c2f9c8f6b130a764f7a50df52"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.216863"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216863"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-824X-88XG-CWRV
Vulnerability from github – Published: 2026-01-05 20:02 – Updated: 2026-01-08 20:07Summary
Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality.
Details
The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories.
An attacker can supply relative paths containing ../ sequences (or even absolute paths inside the document root) to include any readable file in the generated .tar.gz archive.
Vulnerable code:
- redaxo/src/addons/backup/pages/export.php (lines 72-76) – directly uses $_POST['EXPDIR']
- redaxo/src/addons/backup/lib/backup.php (lines ~413 & ~427) – concatenates unsanitized user input with base path
This allows disclosure of sensitive files such as:
- redaxo/data/core/config.yml → database credentials + password hashes of all backend users
- .env, custom configuration files, logs, uploaded malicious files, etc.
Affected versions
≤ 5.20.1 (confirmed working)
Patched versions
None (as of 2025-12-09)
PoC – Extracting database credentials and password hashes
- Log in as any user with Backup permission
- Go to Backup → Export → Files
- Intercept the request with Burp Suite
- Change one
EXPDIR[]value to../../../../var/www/html/redaxo/data/core
-
Send request → download archive
-
Extract and open
data/core/config.yml
Result: plaintext database password
Impact
Full compromise of the REDAXO installation: - Database takeover - Password hash extraction → offline cracking → admin access - When combined with other vulnerabilities → RCE
CVSS 4.0 vector & score below.
Credits
Discovered by: Łukasz Rybak
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.20.1"
},
"package": {
"ecosystem": "Packagist",
"name": "redaxo/source"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.20.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-21857"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-05T20:02:58Z",
"nvd_published_at": "2026-01-07T23:15:50Z",
"severity": "HIGH"
},
"details": "### Summary\nAuthenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon\u0027s file export functionality.\n\u003cimg width=\"664\" height=\"899\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5\" /\u003e\n\u003cimg width=\"2358\" height=\"445\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb\" /\u003e\n\n\n### Details\nThe Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. \nAn attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive.\n\nVulnerable code:\n- `redaxo/src/addons/backup/pages/export.php` (lines 72-76) \u2013 directly uses `$_POST[\u0027EXPDIR\u0027]`\n- `redaxo/src/addons/backup/lib/backup.php` (lines ~413 \u0026 ~427) \u2013 concatenates unsanitized user input with base path\n\nThis allows disclosure of sensitive files such as:\n- `redaxo/data/core/config.yml` \u2192 database credentials + password hashes of all backend users\n- `.env`, custom configuration files, logs, uploaded malicious files, etc.\n\n### Affected versions\n\u2264 5.20.1 (confirmed working)\n\n### Patched versions\nNone (as of 2025-12-09)\n\n### PoC \u2013 Extracting database credentials and password hashes\n1. Log in as any user with Backup permission\n2. Go to Backup \u2192 Export \u2192 Files\n\n\u003cimg width=\"1240\" height=\"960\" alt=\"image\" src=\"https://github.com/user-attachments/assets/bc05ba18-9664-4be2-b637-4fec3a0f409a\" /\u003e\n\n3. Intercept the request with Burp Suite \n\n\u003cimg width=\"2184\" height=\"478\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9fa754a1-2cd0-4d3d-a5cc-cfa34c8a1718\" /\u003e\n\n4. Change one `EXPDIR[]` value to `../../../../var/www/html/redaxo/data/core`\n\n\u003cimg width=\"978\" height=\"591\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d15f5c7f-b72c-44cc-9be2-da8d3f26f124\" /\u003e\n\n5. Send request \u2192 download archive\n\u003cimg width=\"423\" height=\"131\" alt=\"image\" src=\"https://github.com/user-attachments/assets/db8a8bda-cdaf-4dea-812f-1e312da908e2\" /\u003e\n\n6. Extract and open `data/core/config.yml`\n\u003cimg width=\"859\" height=\"281\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c8112ce1-5a1d-435f-953b-7eb4e711e042\" /\u003e\n\nResult: plaintext database password \n\u003cimg width=\"2534\" height=\"1198\" alt=\"image\" src=\"https://github.com/user-attachments/assets/218ae917-868a-437e-98b0-6471b82c0b10\" /\u003e\n\n### Impact\nFull compromise of the REDAXO installation:\n- Database takeover\n- Password hash extraction \u2192 offline cracking \u2192 admin access\n- When combined with other vulnerabilities \u2192 RCE\n\nCVSS 4.0 vector \u0026 score below.\n\n### Credits\nDiscovered by: \u0141ukasz Rybak",
"id": "GHSA-824x-88xg-cwrv",
"modified": "2026-01-08T20:07:42Z",
"published": "2026-01-05T20:02:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/redaxo/redaxo/security/advisories/GHSA-824x-88xg-cwrv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21857"
},
{
"type": "PACKAGE",
"url": "https://github.com/redaxo/redaxo"
},
{
"type": "WEB",
"url": "https://github.com/redaxo/redaxo/releases/tag/5.20.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read"
}
GHSA-84PC-MJPF-2CMC
Vulnerability from github – Published: 2023-12-21 21:30 – Updated: 2023-12-21 21:30A vulnerability, which was classified as critical, has been found in codelyfe Stupid Simple CMS up to 1.2.4. Affected by this issue is some unknown functionality of the file /file-manager/rename.php. The manipulation of the argument newName leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-248690 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-7041"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-21T20:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in codelyfe Stupid Simple CMS up to 1.2.4. Affected by this issue is some unknown functionality of the file /file-manager/rename.php. The manipulation of the argument newName leads to path traversal: \u0027../filedir\u0027. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-248690 is the identifier assigned to this vulnerability.",
"id": "GHSA-84pc-mjpf-2cmc",
"modified": "2023-12-21T21:30:31Z",
"published": "2023-12-21T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7041"
},
{
"type": "WEB",
"url": "https://github.com/g1an123/POC/blob/main/Unauthorized%20file%20overwrite.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.248690"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.248690"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8FRC-4G87-V5H6
Vulnerability from github – Published: 2024-01-11 09:30 – Updated: 2026-04-08 21:32The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.10.33 via the css parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2023-6699"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-11T07:15:09Z",
"severity": "CRITICAL"
},
"details": "The WP Compress \u2013 Image Optimizer [All-In-One] plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.10.33 via the css parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.",
"id": "GHSA-8frc-4g87-v5h6",
"modified": "2026-04-08T21:32:09Z",
"published": "2024-01-11T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6699"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3009183%40wp-compress-image-optimizer%2Ftrunk\u0026old=2994665%40wp-compress-image-optimizer%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/defb87dd-bf5f-411f-b948-699337d05d44?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8HX5-P84Q-7QHG
Vulnerability from github – Published: 2023-06-14 09:30 – Updated: 2023-06-14 09:30A vulnerability, which was classified as problematic, was found in OTCMS up to 6.62. Affected is an unknown function of the file admin/readDeal.php?mudi=readQrCode. The manipulation of the argument img leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. VDB-231510 is the identifier assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-3239"
],
"database_specific": {
"cwe_ids": [
"CWE-24"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T09:15:09Z",
"severity": "LOW"
},
"details": "A vulnerability, which was classified as problematic, was found in OTCMS up to 6.62. Affected is an unknown function of the file admin/readDeal.php?mudi=readQrCode. The manipulation of the argument img leads to path traversal: \u0027../filedir\u0027. The exploit has been disclosed to the public and may be used. VDB-231510 is the identifier assigned to this vulnerability.",
"id": "GHSA-8hx5-p84q-7qhg",
"modified": "2023-06-14T09:30:42Z",
"published": "2023-06-14T09:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3239"
},
{
"type": "WEB",
"url": "https://github.com/HuBenLab/HuBenVulList/blob/main/OTCMS%20was%20discovered%20obtain%20the%20web%20directory%20path%20and%20other%20information%20leaked%20.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.231510"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.231510"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5.1
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.