Common Weakness Enumeration

CWE-36

Allowed

Absolute Path Traversal

Abstraction: Base · Status: Draft

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

245 vulnerabilities reference this CWE, most recent first.

GHSA-R7FM-WMVM-97PQ

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-03 00:00
VLAI
Details

Absolute Path Traversal vulnerability in FileDownload in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-07T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Absolute Path Traversal vulnerability in FileDownload in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter.",
  "id": "GHSA-r7fm-wmvm-97pq",
  "modified": "2022-07-03T00:00:23Z",
  "published": "2022-05-24T19:07:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32507"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-4863-57d4a-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9CX-9CPR-WWG2

Vulnerability from github – Published: 2025-09-04 12:30 – Updated: 2025-09-04 12:30
VLAI
Details

The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files outside of the originally intended directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T10:42:35Z",
    "severity": "MODERATE"
  },
  "details": "The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the \u0027custom_log\u0027 parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files outside of the originally intended directory.",
  "id": "GHSA-r9cx-9cpr-wwg2",
  "modified": "2025-09-04T12:30:42Z",
  "published": "2025-09-04T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9516"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/atec-debug/trunk/includes/ATEC/CONFIG.php#L327"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3355260%40atec-debug%2Ftrunk\u0026old=3342365%40atec-debug%2Ftrunk"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf43620-34ee-4e4f-b6ee-d24fbdbc894e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RG75-Q538-X34V

Vulnerability from github – Published: 2026-05-18 19:08 – Updated: 2026-05-18 19:08
VLAI
Summary
Microsoft Security Advisory CVE-2026-32175 – .NET Core Tampering Vulnerability
Details

Executive Summary:

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.

To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system.

The security update fixes the vulnerability by ensuring .NET Core properly handles files.

Announcement

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/396

CVSS Details

  • Version: 3.1
  • Severity:
  • Score: 4.3
  • Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Weakness: CWE-36: Absolute Path Traversal

Affected Platforms

  • Platforms: Windows
  • Architectures: All

Affected Packages

The vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below

.NET 10

Package name Affected version Patched version
Microsoft.NetCore.App.Runtime.win-arm >= 10.0.0, <= 10.0.7 10.0.8
Microsoft.NetCore.App.Runtime.win-arm64 >= 10.0.0, <= 10.0.7 10.0.8
Microsoft.NetCore.App.Runtime.win-x64 >= 10.0.0, <= 10.0.7 10.0.8
Microsoft.NetCore.App.Runtime.win-x86 >= 10.0.0, <= 10.0.7 10.0.8

.NET 9

Package name Affected version Patched version
Microsoft.NetCore.App.Runtime.win-arm >= 9.0.0, <= 9.0.15 9.0.16
Microsoft.NetCore.App.Runtime.win-arm64 >= 9.0.0, <= 9.0.15 9.0.16
Microsoft.NetCore.App.Runtime.win-x64 >= 9.0.0, <= 9.0.15 9.0.16
Microsoft.NetCore.App.Runtime.win-x86 >= 9.0.0, <= 9.0.15 9.0.16

.NET 8

Package name Affected version Patched version
Microsoft.NetCore.App.Runtime.win-arm >= 8.0.0, <= 8.0.26 8.0.27
Microsoft.NetCore.App.Runtime.win-arm64 >= 8.0.0, <= 8.0.26 8.0.27
Microsoft.NetCore.App.Runtime.win-x64 >= 8.0.0, <= 8.0.26 8.0.27
Microsoft.NetCore.App.Runtime.win-x86 >= 8.0.0, <= 8.0.26 8.0.27

Advisory FAQ

How do I know if I am affected?

If using a package listed in affected packages, a developer's application is exposed to the vulnerability.

How do I fix the issue?

  1. To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If developers have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt them to update Visual Studio, which will also update their .NET SDKs.
  2. If a developer's application references the vulnerable package, update the package reference to the patched version. Developers can list the versions they have installed by running the dotnet --info command.

Once developers have installed the updated runtime or SDK, they can restart their apps for the update to take effect.

Additionally, if they've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If someone has found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.

Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

Questions about this issue can be directed to the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. Questions should be submitted to the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

External Links

CVE-2026-32175

Revisions

V1.0 (May 12, 2026): Advisory published.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.26"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.15"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.7"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.26"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.15"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.7"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.26"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.15"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.7"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.26"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.15"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.7"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.NetCore.App.Runtime.win-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T19:08:00Z",
    "nvd_published_at": "2026-05-12T18:16:58Z",
    "severity": "HIGH"
  },
  "details": "## Executive Summary: \n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.  \n\nA tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories. \n\nTo exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system. \n\nThe security update fixes the vulnerability by ensuring .NET Core properly handles files. \n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/396\n\n## CVSS Details\n\n- **Version:** 3.1\n- **Severity:** \n- **Score:** 4.3\n- **Vector:** /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\n- **Weakness:** CWE-36: Absolute Path Traversal\n\n## Affected Platforms\n\n- **Platforms:** Windows\n- **Architectures:** All\n\n## \u003ca name=\"affected-packages\"\u003e\u003c/a\u003eAffected Packages\nThe vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below\n\n### \u003ca name=\".NET 10\"\u003e\u003c/a\u003e.NET 10\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)                   | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)               | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)                   | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)                   | \u003e= 10.0.0, \u003c= 10.0.7 | 10.0.8\n\n### \u003ca name=\".NET 9\"\u003e\u003c/a\u003e.NET 9\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)                   | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)               | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)                   | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)                   | \u003e= 9.0.0, \u003c= 9.0.15 | 9.0.16\n\n### \u003ca name=\".NET 8\"\u003e\u003c/a\u003e.NET 8\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm)                   | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64)               | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64)                   | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n[Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86)                   | \u003e= 8.0.0, \u003c= 8.0.26 | 8.0.27\n\n\n## Advisory FAQ\n\n### \u003ca name=\"how-affected\"\u003e\u003c/a\u003eHow do I know if I am affected?\n\nIf using a package listed in [affected packages](#affected-packages), a developer\u0027s application is exposed to the vulnerability.\n\n### \u003ca name=\"how-fix\"\u003e\u003c/a\u003eHow do I fix the issue?\n\n1. To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If developers have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt them to update Visual Studio, which will also update their .NET  SDKs.\n2. If a developer\u0027s application references the vulnerable package, update the package reference to the patched version. Developers can list the versions they have installed by running the `dotnet --info` command. \n\nOnce developers have installed the updated runtime or SDK, they can restart their apps for the update to take effect.\n\nAdditionally, if they\u0027ve deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf someone has found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue).\n\nSecurity reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.\n\n### Support\n\nQuestions about this issue can be directed to the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. Questions should be submitted to the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2026-32175]( https://www.cve.org/CVERecord?id=CVE-2026-32175)\n\n### Revisions\n\nV1.0 (May 12, 2026): Advisory published.",
  "id": "GHSA-rg75-q538-x34v",
  "modified": "2026-05-18T19:08:00Z",
  "published": "2026-05-18T19:08:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/runtime/security/advisories/GHSA-rg75-q538-x34v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/announcements/issues/396"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dotnet/runtime"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32175"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Microsoft Security Advisory CVE-2026-32175 \u2013 .NET Core Tampering Vulnerability"
}

GHSA-RW2J-4PC3-6H9Q

Vulnerability from github – Published: 2025-12-08 09:30 – Updated: 2025-12-08 09:30
VLAI
Details

Vitals ESP developed by Galaxy Software Services has an Arbitrary File Read vulnerability, allowing privileged remote attackers to exploit Absolute Path Traversal to download arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T08:15:51Z",
    "severity": "MODERATE"
  },
  "details": "Vitals ESP developed by Galaxy Software Services has an Arbitrary File Read vulnerability, allowing privileged remote attackers to exploit Absolute Path Traversal to download arbitrary system files.",
  "id": "GHSA-rw2j-4pc3-6h9q",
  "modified": "2025-12-08T09:30:17Z",
  "published": "2025-12-08T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14253"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10543-380bd-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10542-4c682-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V3X6-95PF-F2F2

Vulnerability from github – Published: 2026-01-22 09:31 – Updated: 2026-01-22 09:31
VLAI
Details

MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T09:15:51Z",
    "severity": "HIGH"
  },
  "details": "MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.",
  "id": "GHSA-v3x6-95pf-f2f2",
  "modified": "2026-01-22T09:31:39Z",
  "published": "2026-01-22T09:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1330"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V7RW-F6Q6-RHWQ

Vulnerability from github – Published: 2025-05-23 12:31 – Updated: 2025-05-23 12:31
VLAI
Details

Stored Absolute Path Traversal vulnerabilities in ASPECT could expose sensitive data if administrator credentials become compromised.

This issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-23T10:15:19Z",
    "severity": "HIGH"
  },
  "details": "Stored Absolute Path Traversal vulnerabilities in ASPECT could expose sensitive data \nif administrator credentials become compromised.\n\nThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.",
  "id": "GHSA-v7rw-f6q6-rhwq",
  "modified": "2025-05-23T12:31:21Z",
  "published": "2025-05-23T12:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13945"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-V9CX-QP5G-QCHC

Vulnerability from github – Published: 2025-02-03 06:30 – Updated: 2025-02-09 06:30
VLAI
Details

libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-03T05:15:10Z",
    "severity": "MODERATE"
  },
  "details": "libarchiveplugin.cpp in KDE ark before 24.12.0 can extract to an absolute path from an archive.",
  "id": "GHSA-v9cx-qp5g-qchc",
  "modified": "2025-02-09T06:30:52Z",
  "published": "2025-02-03T06:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57966"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KDE/ark/commit/fe518d81b338941e0bf1c5ce5e75a9ab6de4bb58"
    },
    {
      "type": "WEB",
      "url": "https://github.com/KDE/ark/compare/v24.11.90...v24.12.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFFH-C9PQ-4CRH

Vulnerability from github – Published: 2025-10-20 20:03 – Updated: 2025-10-20 20:03
VLAI
Summary
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
Details

Summary

In some Notification types (e.g., Webhook, Telegram), the send() function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection (SSTI) vulnerability that can be exploited to read arbitrary files from the server.

Details

The root cause is how Uptime Kuma renders user-controlled templates via renderTemplate(). The function instantiates a Liquid template engine and parses the template argument without sanitization:

async renderTemplate(template, msg, monitorJSON, heartbeatJSON) {
    const engine = new Liquid();
    const parsedTpl = engine.parse(template);

    // ...
}

In some Notification flows, the send() implementation passes user-editable fields directly into renderTemplate():

// webhook.js
if (notification.webhookContentType === "form-data") {
    const formData = new FormData();
    formData.append("data", JSON.stringify(data));
    config.headers = formData.getHeaders();
    data = formData;
} else if (notification.webhookContentType === "custom") {
    data = await this.renderTemplate(notification.webhookCustomBody, msg, monitorJSON, heartbeatJSON); //<- this line cause SSTI
}

Because notification can be edited by users and is rendered by the Liquid engine without proper sandboxing or a whitelist of allowed operations, an attacker can supply a crafted template that causes the server to read arbitrary files. In particular, Liquid’s template tags (e.g. {% render ... %}) can be abused to include server-side files if the engine is not restricted, resulting in Server-side Template Injection (SSTI) that leaks sensitive file contents.

PoC

  1. Open Uptime Kuma → NotificationsAdd or Edit an existing Webhook notification.
  2. Set notification type to Webhook and set Request Body to Custom Body.
  3. Paste the following JSON into the custom request body:
{
  "Title": {% render '/etc/passwd' %}
}
  1. Click test.
  2. Your webhook will receive the file content

Impact

This is a post-authentication Server-side Template Injection (SSTI) vulnerability that allows an authenticated user to perform arbitrary file read on the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uptime-kuma"
      },
      "versions": [
        "2.0.0-dev.0"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-36"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-20T20:03:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nIn some Notification types (e.g., Webhook, Telegram), the `send()` function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection (SSTI) vulnerability that can be exploited to read arbitrary files from the server.\n\n\n\n### Details\n\nThe root cause is how Uptime Kuma renders user-controlled templates via `renderTemplate()`. The function instantiates a Liquid template engine and parses the `template` argument without sanitization:\n\n```js\nasync renderTemplate(template, msg, monitorJSON, heartbeatJSON) {\n    const engine = new Liquid();\n    const parsedTpl = engine.parse(template);\n\n    // ...\n}\n```\n\nIn some Notification flows, the `send()` implementation passes user-editable fields directly into `renderTemplate()`:\n```js\n// webhook.js\nif (notification.webhookContentType === \"form-data\") {\n    const formData = new FormData();\n    formData.append(\"data\", JSON.stringify(data));\n    config.headers = formData.getHeaders();\n    data = formData;\n} else if (notification.webhookContentType === \"custom\") {\n    data = await this.renderTemplate(notification.webhookCustomBody, msg, monitorJSON, heartbeatJSON); //\u003c- this line cause SSTI\n}\n```\n\nBecause `notification` can be edited by users and is rendered by the Liquid engine without proper sandboxing or a whitelist of allowed operations, an attacker can supply a crafted template that causes the server to read arbitrary files. In particular, Liquid\u2019s template tags (e.g. `{% render ... %}`) can be abused to include server-side files if the engine is not restricted, resulting in Server-side Template Injection (SSTI) that leaks sensitive file contents.\n\n\n\n### PoC\n\n1. Open Uptime Kuma \u2192 **Notifications** \u2192 **Add** or **Edit** an existing Webhook notification.\n2. Set notification type to **Webhook** and set **Request Body**  to **Custom Body**.\n3. Paste the following JSON into the custom request body:\n\n```json\n{\n  \"Title\": {% render \u0027/etc/passwd\u0027 %}\n}\n```\n\n4. Click test.\n5. Your webhook will receive the file content\n\n\n\n### Impact\n\nThis is a post-authentication Server-side Template Injection (SSTI) vulnerability that allows an authenticated user to perform arbitrary file read on the server.",
  "id": "GHSA-vffh-c9pq-4crh",
  "modified": "2025-10-20T20:03:15Z",
  "published": "2025-10-20T20:03:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-vffh-c9pq-4crh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/louislam/uptime-kuma"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read"
}

GHSA-VVCP-WCVC-HV6H

Vulnerability from github – Published: 2025-05-22 18:31 – Updated: 2025-05-22 18:31
VLAI
Details

Absolute File Traversal vulnerabilities in ASPECT allows access and modification of unintended resources. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-36"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T17:15:23Z",
    "severity": "HIGH"
  },
  "details": "Absolute File Traversal vulnerabilities in ASPECT allows access and modification of unintended resources.\nThis issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.",
  "id": "GHSA-vvcp-wcvc-hv6h",
  "modified": "2025-05-22T18:31:15Z",
  "published": "2025-05-22T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48850"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W9XV-QF98-CCQ4

Vulnerability from github – Published: 2024-10-07 15:58 – Updated: 2025-03-06 18:13
VLAI
Summary
PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled
Details

Summary

It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with $writer->setEmbedImages(true); those files will be included in the output as data: URLs, regardless of the file's type. Also URLs can be used for embedding, resulting in a Server-Side Request Forgery vulnerability.

Details

XLSX files allow embedding or linking media. When

In xl/drawings/drawing1.xml an attacker can do e.g.:

<a:blip cstate="print" r:link="rId1" />

And then, in xl/drawings/_rels/drawing1.xml.rels they can set the path to anything, such as:

<Relationship Id="rId1"
    Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
    Target="/etc/passwd" />

or

<Relationship Id="rId1"
    Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image"
    Target="http://example.org" />

When the HTML writer is outputting the image, it does not check the path in any way. Also the getimagesize() call does not mitigate this, because when getimagesize() returns false, an empty mime type is used.

if ($this->embedImages || str_starts_with($imageData, 'zip://')) {
    $picture = @file_get_contents($filename);
    if ($picture !== false) {
        $imageDetails = getimagesize($filename) ?: ['mime' => ''];
        // base64 encode the binary data
        $base64 = base64_encode($picture);
        $imageData = 'data:' . $imageDetails['mime'] . ';base64,' . $base64;
    }
}

$html .= '<img style="position: absolute; z-index: 1; left: '
    . $drawing->getOffsetX() . 'px; top: ' . $drawing->getOffsetY() . 'px; width: '
    . $drawing->getWidth() . 'px; height: ' . $drawing->getHeight() . 'px;" src="'
    . $imageData . '" alt="' . $filedesc . '" />';

PoC

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
$writer->setEmbedImages(true);
$output = $writer->generateHTMLAll();

// The below is just for demo purposes

$pattern = '/data:;base64,(?<data>[^"]+)/i';

preg_match_all($pattern, $output, $matches);

print("*** /etc/passwd content: ***\n");
print(base64_decode($matches['data'][0]));

print("*** HTTP response content: ***\n");
print(base64_decode($matches['data'][1]));

Add this file in the same directory: book.xlsx

Run with: php index.php

Impact

When embedding images has been enabled, an attacker can read arbitrary files on the server and perform arbitrary HTTP GET requests, potentially e.g. revealing secrets. Note that any PHP protocol wrappers can be used, meaning that if for example the expect:// wrapper is enabled, also remote code execution is possible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-36",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-07T15:58:06Z",
    "nvd_published_at": "2024-10-07T21:15:17Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nIt\u0027s possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer-\u003esetEmbedImages(true);` those files will be included in the output as `data:` URLs, regardless of the file\u0027s type. Also URLs can be used for embedding, resulting in a Server-Side Request Forgery vulnerability.\n\n### Details\n\nXLSX files allow embedding or linking media. When \n\nIn `xl/drawings/drawing1.xml` an attacker can do e.g.:\n```xml\n\u003ca:blip cstate=\"print\" r:link=\"rId1\" /\u003e\n```\n\nAnd then, in `xl/drawings/_rels/drawing1.xml.rels` they can set the path to anything, such as:\n```xml\n\u003cRelationship Id=\"rId1\"\n    Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/image\"\n    Target=\"/etc/passwd\" /\u003e\n```\nor\n```xml\n\u003cRelationship Id=\"rId1\"\n    Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/image\"\n    Target=\"http://example.org\" /\u003e\n```\n\nWhen the HTML writer is outputting the image, it does not check the path in any way. Also the `getimagesize()` call does not mitigate this, because when `getimagesize()` returns false, an empty mime type is used.\n\n```php\nif ($this-\u003eembedImages || str_starts_with($imageData, \u0027zip://\u0027)) {\n    $picture = @file_get_contents($filename);\n    if ($picture !== false) {\n        $imageDetails = getimagesize($filename) ?: [\u0027mime\u0027 =\u003e \u0027\u0027];\n        // base64 encode the binary data\n        $base64 = base64_encode($picture);\n        $imageData = \u0027data:\u0027 . $imageDetails[\u0027mime\u0027] . \u0027;base64,\u0027 . $base64;\n    }\n}\n\n$html .= \u0027\u003cimg style=\"position: absolute; z-index: 1; left: \u0027\n    . $drawing-\u003egetOffsetX() . \u0027px; top: \u0027 . $drawing-\u003egetOffsetY() . \u0027px; width: \u0027\n    . $drawing-\u003egetWidth() . \u0027px; height: \u0027 . $drawing-\u003egetHeight() . \u0027px;\" src=\"\u0027\n    . $imageData . \u0027\" alt=\"\u0027 . $filedesc . \u0027\" /\u003e\u0027;\n```\n\n### PoC\n\n```php\n\u003c?php\n\nrequire \u0027vendor/autoload.php\u0027;\n\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader(\"Xlsx\");\n$spreadsheet = $reader-\u003eload(__DIR__ . \u0027/book.xlsx\u0027);\n\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet);\n$writer-\u003esetEmbedImages(true);\n$output = $writer-\u003egenerateHTMLAll();\n\n// The below is just for demo purposes\n\n$pattern = \u0027/data:;base64,(?\u003cdata\u003e[^\"]+)/i\u0027;\n\npreg_match_all($pattern, $output, $matches);\n\nprint(\"*** /etc/passwd content: ***\\n\");\nprint(base64_decode($matches[\u0027data\u0027][0]));\n\nprint(\"*** HTTP response content: ***\\n\");\nprint(base64_decode($matches[\u0027data\u0027][1]));\n```\n\nAdd this file in the same directory:\n[book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15213066/book.xlsx)\n\nRun with:\n`php index.php`\n\n### Impact\n\nWhen embedding images has been enabled, an attacker can read arbitrary files on the server and perform arbitrary HTTP GET requests, potentially e.g. [revealing secrets](https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/). Note that any PHP protocol wrappers can be used, meaning that if for example the `expect://` wrapper is enabled, also remote code execution is possible.",
  "id": "GHSA-w9xv-qf98-ccq4",
  "modified": "2025-03-06T18:13:21Z",
  "published": "2024-10-07T15:58:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/a9693d1182df6695c14bc5d74315ac71a3398e5a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/d95bc290beb137d4118095b96f62ec47e0205cec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/e04ed222b36fd5fd6fed0c10c765c2b68effb465"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled"
}

Mitigation MIT-5.1
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-597: Absolute Path Traversal

An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.