Common Weakness Enumeration

CWE-548

Allowed

Exposure of Information Through Directory Listing

Abstraction: Variant · Status: Draft

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

101 vulnerabilities reference this CWE, most recent first.

GHSA-94FR-F773-P7WG

Vulnerability from github – Published: 2025-12-09 21:31 – Updated: 2025-12-19 21:30
VLAI
Details

OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47718"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T21:15:50Z",
    "severity": "HIGH"
  },
  "details": "OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information.",
  "id": "GHSA-94fr-f773-p7wg",
  "modified": "2025-12-19T21:30:15Z",
  "published": "2025-12-09T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47718"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/50671"
    },
    {
      "type": "WEB",
      "url": "https://www.openbmcs.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openbmcs-directory-listing-information-disclosure"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-94QF-5XC2-5VRQ

Vulnerability from github – Published: 2024-04-12 15:37 – Updated: 2024-07-05 15:32
VLAI
Details

Information exposure vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to enumerate all files in the web tree by accessing a php file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-12T14:15:09Z",
    "severity": "MODERATE"
  },
  "details": "   Information exposure vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to enumerate all files in the web tree by accessing a php file.",
  "id": "GHSA-94qf-5xc2-5vrq",
  "modified": "2024-07-05T15:32:05Z",
  "published": "2024-04-12T15:37:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3707"
    },
    {
      "type": "WEB",
      "url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99VG-WHP9-CXQ4

Vulnerability from github – Published: 2024-01-19 15:30 – Updated: 2024-01-25 21:32
VLAI
Details

A Site-wide directory listing vulnerability in /fm in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to list the files hosted by the web application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-51948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-19T14:15:12Z",
    "severity": "HIGH"
  },
  "details": "A Site-wide directory listing vulnerability in /fm in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to list the files hosted by the web application.",
  "id": "GHSA-99vg-whp9-cxq4",
  "modified": "2024-01-25T21:32:13Z",
  "published": "2024-01-19T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51948"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saw-your-packet/CVEs/blob/main/CVE-2023-51948/README.md"
    },
    {
      "type": "WEB",
      "url": "https://www.actidata.com/index.php/de-de/actinas-plus-sl-2u-8-rdx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9VP2-38F9-8838

Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34
VLAI
Details

The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules

pose a risk to the webserver which enable dircetory listing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T12:15:23Z",
    "severity": "MODERATE"
  },
  "details": "The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules \n\npose a risk to the webserver which enable dircetory listing.",
  "id": "GHSA-9vp2-38f9-8838",
  "modified": "2025-07-03T12:34:58Z",
  "published": "2025-07-03T12:34:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27452"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.endress.com"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9X83-XQ9P-CXQ5

Vulnerability from github – Published: 2025-12-31 00:31 – Updated: 2025-12-31 00:31
VLAI
Details

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T23:15:45Z",
    "severity": "MODERATE"
  },
  "details": "SOUND4 IMPACT/FIRST/PULSE/Eco \u003c=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication.",
  "id": "GHSA-9x83-xq9p-cxq5",
  "modified": "2025-12-31T00:31:10Z",
  "published": "2025-12-31T00:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50788"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/247921"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/170259/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Information-Disclosure.html"
    },
    {
      "type": "WEB",
      "url": "https://www.sound4.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-information-disclosure-via-log-directory"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5732.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-C2GJ-RQW8-V3HW

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

An Information Exposure issue was discovered in Trihedral VTScada Versions prior to 11.2.26. Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-21T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "An Information Exposure issue was discovered in Trihedral VTScada Versions prior to 11.2.26. Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information.",
  "id": "GHSA-c2gj-rqw8-v3hw",
  "modified": "2022-05-13T01:36:33Z",
  "published": "2022-05-13T01:36:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6045"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99066"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5CJ-XP43-QCC3

Vulnerability from github – Published: 2025-10-23 12:31 – Updated: 2025-10-24 20:58
VLAI
Summary
Moodle's error handling leads to sensitive information disclosure
Details

An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-beta"
            },
            {
              "fixed": "5.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0-beta"
            },
            {
              "fixed": "4.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-24T20:58:32Z",
    "nvd_published_at": "2025-10-23T12:15:31Z",
    "severity": "MODERATE"
  },
  "details": "An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.",
  "id": "GHSA-c5cj-xp43-qcc3",
  "modified": "2025-10-24T20:58:32Z",
  "published": "2025-10-23T12:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62396"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/5d4910509eeaac8403d18ec8f259e29d2f11527e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/5e7d5abc483d0511ebfc2042075eabcc392ff4ce"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-62396"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404429"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=470385"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moodle\u0027s error handling leads to sensitive information disclosure"
}

GHSA-CFQX-F43M-VFH7

Vulnerability from github – Published: 2024-10-03 19:46 – Updated: 2024-10-03 19:46
VLAI
Summary
@saltcorn/server arbitrary file and directory listing when accessing build mobile app results
Details

Summary

A user with admin permission can read arbitrary file and directory names on the filesystem by calling the admin/build-mobile-app/result?build_dir_name= endpoint. The build_dir_name parameter is not properly validated and it's then used to construct the buildDir that is read. The file/directory names under the buildDir will be returned.

Details

  • file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L2884-L2893
router.get(
  "/build-mobile-app/result",
  isAdmin,
  error_catcher(async (req, res) => {
    const { build_dir_name } = req.query; // [1] source
    const rootFolder = await File.rootFolder();
    const buildDir = path.join(
      rootFolder.location,
      "mobile_app",
      build_dir_name // [2]
    );
    const files = await Promise.all(
      fs
        .readdirSync(buildDir) // [3] sink
        .map(async (outFile) => await File.from_file_on_disk(outFile, buildDir))
    );
    [...]
  })
);

PoC

  • log into the application as an admin user
  • visit the following url: http://localhost:3000/admin/build-mobile-app/result?build_dir_name=/../../../../../../../../

NOTE: it's possible to only see file and directory names but not to download their content.

Impact

Information disclosure

Recommended Mitigation

Resolve the buildDir and check if it starts with ${rootFolder.location}/mobile_app.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0-beta.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@saltcorn/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0-beta.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-03T19:46:42Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA user with admin permission can read arbitrary file and directory names on the filesystem by calling the `admin/build-mobile-app/result?build_dir_name=` endpoint.  The `build_dir_name` parameter is not properly validated and it\u0027s then used to construct the `buildDir` that is read. The file/directory names under the `buildDir` will be returned. \n\n### Details\n\n- file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L2884-L2893\n\n```js\nrouter.get(\n  \"/build-mobile-app/result\",\n  isAdmin,\n  error_catcher(async (req, res) =\u003e {\n    const { build_dir_name } = req.query; // [1] source\n    const rootFolder = await File.rootFolder();\n    const buildDir = path.join(\n      rootFolder.location,\n      \"mobile_app\",\n      build_dir_name // [2]\n    );\n    const files = await Promise.all(\n      fs\n        .readdirSync(buildDir) // [3] sink\n        .map(async (outFile) =\u003e await File.from_file_on_disk(outFile, buildDir))\n    );\n    [...]\n  })\n);\n```\n\n### PoC\n\n- log into the application as an admin user\n- visit the following url: `http://localhost:3000/admin/build-mobile-app/result?build_dir_name=/../../../../../../../../`\n\n\n**NOTE**: it\u0027s possible to only see file and directory names but not to download their content.\n\n### Impact\n\nInformation disclosure\n\n### Recommended Mitigation\n\nResolve the `buildDir` and check if it starts with `${rootFolder.location}/mobile_app`.",
  "id": "GHSA-cfqx-f43m-vfh7",
  "modified": "2024-10-03T19:46:43Z",
  "published": "2024-10-03T19:46:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-cfqx-f43m-vfh7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/commit/81adaf78430a9b59804894574d67d2a0c7bb3dc5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saltcorn/saltcorn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js#L2884-L2893"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@saltcorn/server arbitrary file and directory listing when accessing build mobile app results"
}

GHSA-F28R-C98M-QR3R

Vulnerability from github – Published: 2023-01-15 21:30 – Updated: 2023-01-24 21:30
VLAI
Details

A vulnerability was found in tombh jekbox. It has been rated as problematic. This issue affects some unknown processing of the file lib/server.rb. The manipulation leads to exposure of information through directory listing. The attack may be initiated remotely. The name of the patch is 64eb2677671018fc08b96718b81e3dbc83693190. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218375.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-15019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in tombh jekbox. It has been rated as problematic. This issue affects some unknown processing of the file lib/server.rb. The manipulation leads to exposure of information through directory listing. The attack may be initiated remotely. The name of the patch is 64eb2677671018fc08b96718b81e3dbc83693190. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218375.",
  "id": "GHSA-f28r-c98m-qr3r",
  "modified": "2023-01-24T21:30:37Z",
  "published": "2023-01-15T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-15019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tombh/jekbox/commit/64eb2677671018fc08b96718b81e3dbc83693190"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.218375"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.218375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F8FJ-4VVJ-89GH

Vulnerability from github – Published: 2026-05-14 15:31 – Updated: 2026-05-14 15:31
VLAI
Details

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T15:16:45Z",
    "severity": "MODERATE"
  },
  "details": "Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset paths, plugins, themes, and media folders to view filenames, file sizes, modification timestamps, and unrendered admin templates containing sensitive route maps.",
  "id": "GHSA-f8fj-4vvj-89gh",
  "modified": "2026-05-14T15:31:59Z",
  "published": "2026-05-14T15:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/givanz/Vvveb/commit/96ae04c5e4a295e281adc1d02d77444173653deb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/givanz/Vvveb/releases/tag/1.0.8.3"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/vvveb-directory-listing-information-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design System Configuration

Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.

No CAPEC attack patterns related to this CWE.