CWE-548
AllowedExposure of Information Through Directory Listing
Abstraction: Variant · Status: Draft
The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
101 vulnerabilities reference this CWE, most recent first.
GHSA-46HV-7769-J7RX
Vulnerability from github – Published: 2019-06-13 16:12 – Updated: 2023-09-07 21:43Affected versions of harp are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as _secret-folder. If the underscore character is URL encoded the server delivers the file.
Recommendation
Upgrade to version 0.40.2 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "harp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.40.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-5437"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": true,
"github_reviewed_at": "2019-06-13T16:10:40Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected versions of `harp` are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as `_secret-folder`. If the underscore character is URL encoded the server delivers the file.\n\n## Recommendation\n\nUpgrade to version `0.40.2` or later.",
"id": "GHSA-46hv-7769-j7rx",
"modified": "2023-09-07T21:43:42Z",
"published": "2019-06-13T16:12:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5437"
},
{
"type": "WEB",
"url": "https://github.com/sintaxi/harp/commit/1ec790baeeb2bfdb4584f1998af3d10a8fa31210"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/453820"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/807"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Unauthorized File Access in harp"
}
GHSA-4H2P-C2MF-FQ35
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07QSAN Storage Manager through directory listing vulnerability in ViewBroserList allows remote authenticated attackers to list arbitrary directories via the file path parameter.
{
"affected": [],
"aliases": [
"CVE-2021-32511"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T14:15:00Z",
"severity": "MODERATE"
},
"details": "QSAN Storage Manager through directory listing vulnerability in ViewBroserList allows remote authenticated attackers to list arbitrary directories via the file path parameter.",
"id": "GHSA-4h2p-c2mf-fq35",
"modified": "2022-05-24T19:07:03Z",
"published": "2022-05-24T19:07:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32511"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4867-9c11c-1.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4PJM-2JF5-8H3G
Vulnerability from github – Published: 2025-03-23 15:30 – Updated: 2025-03-23 15:30A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.
{
"affected": [],
"aliases": [
"CVE-2025-2651"
],
"database_specific": {
"cwe_ids": [
"CWE-548",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-23T15:15:13Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /oews/admin/. The manipulation leads to exposure of information through directory listing. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.",
"id": "GHSA-4pjm-2jf5-8h3g",
"modified": "2025-03-23T15:30:33Z",
"published": "2025-03-23T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2651"
},
{
"type": "WEB",
"url": "https://github.com/happytraveller-alone/cve/blob/main/Directory%20Traversal%20Vulnerability.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.300666"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.300666"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.519873"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5CRV-26FX-6C29
Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-25 00:00mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive directory listing information.
{
"affected": [],
"aliases": [
"CVE-2021-27505"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-13T16:15:00Z",
"severity": "HIGH"
},
"details": "mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive directory listing information.",
"id": "GHSA-5crv-26fx-6c29",
"modified": "2022-05-25T00:00:20Z",
"published": "2022-05-14T00:01:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27505"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
},
{
"type": "WEB",
"url": "https://www.myscada.org/version-8-20-0-released-security-update"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5F9H-9PJV-V6J7
Vulnerability from github – Published: 2020-07-06 21:31 – Updated: 2022-05-26 20:45A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8161"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-548"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-06T21:30:32Z",
"nvd_published_at": "2020-07-02T19:15:00Z",
"severity": "HIGH"
},
"details": "A directory traversal vulnerability exists in rack \u003c 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.",
"id": "GHSA-5f9h-9pjv-v6j7",
"modified": "2022-05-26T20:45:56Z",
"published": "2020-07-06T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8161"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8161.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/rubyonrails-security/c/IOO1vNZTzPA"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4561-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directory traversal in Rack::Directory app bundled with Rack"
}
GHSA-7GVX-RVMQ-CW57
Vulnerability from github – Published: 2025-05-19 06:30 – Updated: 2025-05-19 06:30A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-4909"
],
"database_specific": {
"cwe_ids": [
"CWE-548",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-19T04:15:42Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as critical was found in SourceCodester Client Database Management System 1.0. This vulnerability affects unknown code. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-7gvx-rvmq-cw57",
"modified": "2025-05-19T06:30:35Z",
"published": "2025-05-19T06:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4909"
},
{
"type": "WEB",
"url": "https://github.com/dengxun628/cve/issues/3"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.309466"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.309466"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.578723"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7PFJ-H559-R483
Vulnerability from github – Published: 2026-05-20 18:31 – Updated: 2026-05-20 18:31Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
{
"affected": [],
"aliases": [
"CVE-2025-32750"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T16:16:24Z",
"severity": "HIGH"
},
"details": "Dell PowerFlex Manager, version(s) \u003c=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.",
"id": "GHSA-7pfj-h559-r483",
"modified": "2026-05-20T18:31:35Z",
"published": "2026-05-20T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32750"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7WQX-PVJM-73Q6
Vulnerability from github – Published: 2025-07-29 18:30 – Updated: 2025-07-29 18:30Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.
{
"affected": [],
"aliases": [
"CVE-2025-28170"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-29T17:15:32Z",
"severity": "HIGH"
},
"details": "Grandstream Networks GXP1628 \u003c=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.",
"id": "GHSA-7wqx-pvjm-73q6",
"modified": "2025-07-29T18:30:34Z",
"published": "2025-07-29T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28170"
},
{
"type": "WEB",
"url": "https://gist.github.com/Exek1el/928ea6fd06d3b48c1c91cfdc30317d8d"
},
{
"type": "WEB",
"url": "http://grandstream.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7XPG-WG42-PGPG
Vulnerability from github – Published: 2025-03-23 15:30 – Updated: 2025-03-23 15:30A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to exposure of information through directory listing. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.
{
"affected": [],
"aliases": [
"CVE-2025-2652"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-23T15:15:13Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to exposure of information through directory listing. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. Multiple sub-directories are affected.",
"id": "GHSA-7xpg-wg42-pgpg",
"modified": "2025-03-23T15:30:33Z",
"published": "2025-03-23T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2652"
},
{
"type": "WEB",
"url": "https://github.com/happytraveller-alone/cve/blob/main/dir.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.300667"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.300667"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.519876"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8R2H-58X4-RMXG
Vulnerability from github – Published: 2024-08-19 00:31 – Updated: 2024-08-19 00:31A vulnerability was found in CodeAstro Online Railway Reservation System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/assets/. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2024-7912"
],
"database_specific": {
"cwe_ids": [
"CWE-548"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-18T22:15:12Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in CodeAstro Online Railway Reservation System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/assets/. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-8r2h-58x4-rmxg",
"modified": "2024-08-19T00:31:09Z",
"published": "2024-08-19T00:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7912"
},
{
"type": "WEB",
"url": "https://github.com/CYB84/CVE_Writeup/blob/main/Online%20Railway%20Reservation%20System/Directory%20Listing.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.275038"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.275038"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.391658"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.
No CAPEC attack patterns related to this CWE.