Common Weakness Enumeration

CWE-548

Allowed

Exposure of Information Through Directory Listing

Abstraction: Variant · Status: Draft

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

101 vulnerabilities reference this CWE, most recent first.

GHSA-46HV-7769-J7RX

Vulnerability from github – Published: 2019-06-13 16:12 – Updated: 2023-09-07 21:43
VLAI
Summary
Unauthorized File Access in harp
Details

Affected versions of harp are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as _secret-folder. If the underscore character is URL encoded the server delivers the file.

Recommendation

Upgrade to version 0.40.2 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "harp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.40.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-5437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-13T16:10:40Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Affected versions of `harp` are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as `_secret-folder`. If the underscore character is URL encoded the server delivers the file.\n\n## Recommendation\n\nUpgrade to version `0.40.2` or later.",
  "id": "GHSA-46hv-7769-j7rx",
  "modified": "2023-09-07T21:43:42Z",
  "published": "2019-06-13T16:12:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sintaxi/harp/commit/1ec790baeeb2bfdb4584f1998af3d10a8fa31210"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/453820"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/807"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthorized File Access in harp"
}

GHSA-4H2P-C2MF-FQ35

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07
VLAI
Details

QSAN Storage Manager through directory listing vulnerability in ViewBroserList allows remote authenticated attackers to list arbitrary directories via the file path parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-32511"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-07T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "QSAN Storage Manager through directory listing vulnerability in ViewBroserList allows remote authenticated attackers to list arbitrary directories via the file path parameter.",
  "id": "GHSA-4h2p-c2mf-fq35",
  "modified": "2022-05-24T19:07:03Z",
  "published": "2022-05-24T19:07:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32511"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-4867-9c11c-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4PJM-2JF5-8H3G

Vulnerability from github – Published: 2025-03-23 15:30 – Updated: 2025-03-23 15:30
VLAI
Details

A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548",
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-23T15:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.",
  "id": "GHSA-4pjm-2jf5-8h3g",
  "modified": "2025-03-23T15:30:33Z",
  "published": "2025-03-23T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/happytraveller-alone/cve/blob/main/Directory%20Traversal%20Vulnerability.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.300666"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.300666"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.519873"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5CRV-26FX-6C29

Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-25 00:00
VLAI
Details

mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive directory listing information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive directory listing information.",
  "id": "GHSA-5crv-26fx-6c29",
  "modified": "2022-05-25T00:00:20Z",
  "published": "2022-05-14T00:01:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27505"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
    },
    {
      "type": "WEB",
      "url": "https://www.myscada.org/version-8-20-0-released-security-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5F9H-9PJV-V6J7

Vulnerability from github – Published: 2020-07-06 21:31 – Updated: 2022-05-26 20:45
VLAI
Summary
Directory traversal in Rack::Directory app bundled with Rack
Details

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-548"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-06T21:30:32Z",
    "nvd_published_at": "2020-07-02T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A directory traversal vulnerability exists in rack \u003c 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.",
  "id": "GHSA-5f9h-9pjv-v6j7",
  "modified": "2022-05-26T20:45:56Z",
  "published": "2020-07-06T21:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8161.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/rubyonrails-security/c/IOO1vNZTzPA"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4561-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directory traversal in Rack::Directory app bundled with Rack"
}

GHSA-7GVX-RVMQ-CW57

Vulnerability from github – Published: 2025-05-19 06:30 – Updated: 2025-05-19 06:30
VLAI
Details

A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548",
      "CWE-552"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-19T04:15:42Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-7gvx-rvmq-cw57",
  "modified": "2025-05-19T06:30:35Z",
  "published": "2025-05-19T06:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4909"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dengxun628/cve/issues/3"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.309466"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.309466"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.578723"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7PFJ-H559-R483

Vulnerability from github – Published: 2026-05-20 18:31 – Updated: 2026-05-20 18:31
VLAI
Details

Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T16:16:24Z",
    "severity": "HIGH"
  },
  "details": "Dell PowerFlex Manager, version(s) \u003c=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.",
  "id": "GHSA-7pfj-h559-r483",
  "modified": "2026-05-20T18:31:35Z",
  "published": "2026-05-20T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32750"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WQX-PVJM-73Q6

Vulnerability from github – Published: 2025-07-29 18:30 – Updated: 2025-07-29 18:30
VLAI
Details

Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-28170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-29T17:15:32Z",
    "severity": "HIGH"
  },
  "details": "Grandstream Networks GXP1628 \u003c=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.",
  "id": "GHSA-7wqx-pvjm-73q6",
  "modified": "2025-07-29T18:30:34Z",
  "published": "2025-07-29T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28170"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Exek1el/928ea6fd06d3b48c1c91cfdc30317d8d"
    },
    {
      "type": "WEB",
      "url": "http://grandstream.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7XPG-WG42-PGPG

Vulnerability from github – Published: 2025-03-23 15:30 – Updated: 2025-03-23 15:30
VLAI
Details

A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to exposure of information through directory listing. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-23T15:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to exposure of information through directory listing. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.",
  "id": "GHSA-7xpg-wg42-pgpg",
  "modified": "2025-03-23T15:30:33Z",
  "published": "2025-03-23T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/happytraveller-alone/cve/blob/main/dir.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.300667"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.300667"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.519876"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8R2H-58X4-RMXG

Vulnerability from github – Published: 2024-08-19 00:31 – Updated: 2024-08-19 00:31
VLAI
Details

A vulnerability was found in CodeAstro Online Railway Reservation System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/assets/. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-18T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in CodeAstro Online Railway Reservation System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/assets/. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-8r2h-58x4-rmxg",
  "modified": "2024-08-19T00:31:09Z",
  "published": "2024-08-19T00:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7912"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CYB84/CVE_Writeup/blob/main/Online%20Railway%20Reservation%20System/Directory%20Listing.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.275038"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.275038"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.391658"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design System Configuration

Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.

No CAPEC attack patterns related to this CWE.