CWE-548
AllowedExposure of Information Through Directory Listing
Abstraction: Variant · Status: Draft
The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
101 vulnerabilities reference this CWE, most recent first.
CVE-2014-125069 (GCVE-0-2014-125069)
Vulnerability from cvelistv5 – Published: 2023-01-08 10:29 – Updated: 2024-08-06 14:10- CWE-548 - Exposure of Information Through Directory Listing
| URL | Tags |
|---|---|
| https://vuldb.com/?id.217644 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.217644 | signaturepermissions-required |
| https://github.com/saxman/maps-js-icoads/commit/3… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| saxman | maps-js-icoads |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:10:56.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.217644"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.217644"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/saxman/maps-js-icoads/commit/34b8b0cce2807b119f4cffda2ac48fc8f427d69a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "maps-js-icoads",
"vendor": "saxman",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "tool",
"value": "VulDB GitHub Commit Analyzer"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in saxman maps-js-icoads. It has been classified as problematic. Affected is an unknown function. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The name of the patch is 34b8b0cce2807b119f4cffda2ac48fc8f427d69a. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217644."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in saxman maps-js-icoads ausgemacht. Betroffen hiervon ist ein unbekannter Ablauf. Durch das Beeinflussen mit unbekannten Daten kann eine exposure of information through directory listing-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Patch wird als 34b8b0cce2807b119f4cffda2ac48fc8f427d69a bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T06:37:25.567Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.217644"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.217644"
},
{
"tags": [
"patch"
],
"url": "https://github.com/saxman/maps-js-icoads/commit/34b8b0cce2807b119f4cffda2ac48fc8f427d69a"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-01-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-01-08T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-01-08T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-01-30T08:53:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "saxman maps-js-icoads exposure of information through directory listing"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2014-125069",
"datePublished": "2023-01-08T10:29:51.522Z",
"dateReserved": "2023-01-08T10:29:29.723Z",
"dateUpdated": "2024-08-06T14:10:56.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-269F-C6H8-6GV2
Vulnerability from github – Published: 2023-01-08 12:30 – Updated: 2023-01-12 18:30A vulnerability was found in saxman maps-js-icoads. It has been classified as problematic. Affected is an unknown function. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The name of the patch is 34b8b0cce2807b119f4cffda2ac48fc8f427d69a. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217644.
{
"affected": [],
"aliases": [
"CVE-2014-125069"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-08T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in saxman maps-js-icoads. It has been classified as problematic. Affected is an unknown function. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The name of the patch is 34b8b0cce2807b119f4cffda2ac48fc8f427d69a. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217644.",
"id": "GHSA-269f-c6h8-6gv2",
"modified": "2023-01-12T18:30:28Z",
"published": "2023-01-08T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125069"
},
{
"type": "WEB",
"url": "https://github.com/saxman/maps-js-icoads/commit/34b8b0cce2807b119f4cffda2ac48fc8f427d69a"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217644"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217644"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2C59-J8FR-6828
Vulnerability from github – Published: 2024-03-21 03:36 – Updated: 2024-08-06 18:30A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.
{
"affected": [],
"aliases": [
"CVE-2023-49979"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-21T02:49:38Z",
"severity": "HIGH"
},
"details": "A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization.",
"id": "GHSA-2c59-j8fr-6828",
"modified": "2024-08-06T18:30:49Z",
"published": "2024-03-21T03:36:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49979"
},
{
"type": "WEB",
"url": "https://github.com/geraldoalcantara/CVE-2023-49979"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2GP2-MFG4-Q5MV
Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system.
{
"affected": [],
"aliases": [
"CVE-2023-38265"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-17T20:22:00Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system.",
"id": "GHSA-2gp2-mfg4-q5mv",
"modified": "2026-02-17T21:31:14Z",
"published": "2026-02-17T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38265"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7259955"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2X5M-6JX4-JR66
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20Dell EMC PowerScale OneFS versions 9.1.0, 9.2.0.x, 9.2.1.x contain an Exposure of Information through Directory Listing vulnerability. This vulnerability is triggered when upgrading from a previous versions.
{
"affected": [],
"aliases": [
"CVE-2021-21528"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-12T23:15:00Z",
"severity": "HIGH"
},
"details": "Dell EMC PowerScale OneFS versions 9.1.0, 9.2.0.x, 9.2.1.x contain an Exposure of Information through Directory Listing vulnerability. This vulnerability is triggered when upgrading from a previous versions.",
"id": "GHSA-2x5m-6jx4-jr66",
"modified": "2022-05-24T19:20:37Z",
"published": "2022-05-24T19:20:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21528"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000193005"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-36HM-C9F8-F8XC
Vulnerability from github – Published: 2026-06-05 15:32 – Updated: 2026-06-05 15:32Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.
{
"affected": [],
"aliases": [
"CVE-2026-50233"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T14:16:36Z",
"severity": "MODERATE"
},
"details": "Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.",
"id": "GHSA-36hm-c9f8-f8xc",
"modified": "2026-06-05T15:32:25Z",
"published": "2026-06-05T15:32:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50233"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/lyrion-music-server-arbitrary-directory-listing"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5991.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3P7Q-RQJ4-RF3G
Vulnerability from github – Published: 2025-10-14 15:31 – Updated: 2025-10-14 15:31IBM Content Navigator 3.0.11, 3.0.15, 3.1.0, and 3.2.0 could expose the directory listing of the application upon using an application URL. Application files and folders are visible in the browser to a user; however, the contents of the files cannot be read obtained or modified.
{
"affected": [],
"aliases": [
"CVE-2025-27906"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T15:16:08Z",
"severity": "MODERATE"
},
"details": "IBM Content Navigator 3.0.11, 3.0.15, 3.1.0, and 3.2.0 could expose the directory listing of the application upon using an application URL. Application files and folders are visible in the browser to a user; however, the contents of the files cannot be read obtained or modified.",
"id": "GHSA-3p7q-rqj4-rf3g",
"modified": "2025-10-14T15:31:27Z",
"published": "2025-10-14T15:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27906"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7247854"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3PJ2-86G9-6MF7
Vulnerability from github – Published: 2024-09-05 18:30 – Updated: 2024-09-05 18:30IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user with access to the package to obtain sensitive information through a directory listing.
{
"affected": [],
"aliases": [
"CVE-2024-45096"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-05T16:15:07Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user with access to the package to obtain sensitive information through a directory listing.",
"id": "GHSA-3pj2-86g9-6mf7",
"modified": "2024-09-05T18:30:56Z",
"published": "2024-09-05T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45096"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7167255"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-42JJ-4CC5-RM9V
Vulnerability from github – Published: 2025-05-16 21:32 – Updated: 2025-05-16 21:32A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-4807"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-16T20:15:22Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, was found in SourceCodester Online Student Clearance System 1.0. This affects an unknown part. The manipulation leads to exposure of information through directory listing. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-42jj-4cc5-rm9v",
"modified": "2025-05-16T21:32:12Z",
"published": "2025-05-16T21:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4807"
},
{
"type": "WEB",
"url": "https://github.com/laifeng-boy/cve/issues/2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.309261"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.309261"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.572238"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-45J8-PM75-5V8X
Vulnerability from github – Published: 2019-02-07 18:18 – Updated: 2020-08-31 18:42Versions of simplehttpserver prior to 0.2.1 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths.
Recommendation
Upgrade to version 0.2.1 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "static-resource-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-16493"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:57:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `simplehttpserver` prior to 0.2.1 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. \n\n\n## Recommendation\n\nUpgrade to version 0.2.1 or later.",
"id": "GHSA-45j8-pm75-5v8x",
"modified": "2020-08-31T18:42:22Z",
"published": "2019-02-07T18:18:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16493"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/357109"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/432600"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-45j8-pm75-5v8x"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/967"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/968"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Path Traversal in simplehttpserver"
}
Mitigation
Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.
No CAPEC attack patterns related to this CWE.