CWE-552
AllowedFiles or Directories Accessible to External Parties
Abstraction: Base · Status: Draft
The product makes files or directories accessible to unauthorized actors, even though they should not be.
670 vulnerabilities reference this CWE, most recent first.
GHSA-4X9C-4G9P-35RM
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44It has been discovered in redhat-certification that any unauthorized user may download any file under /var/www/rhcert, provided they know its name. Red Hat Certification 6 and 7 is vulnerable to this issue.
{
"affected": [],
"aliases": [
"CVE-2019-3897"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "It has been discovered in redhat-certification that any unauthorized user may download any file under /var/www/rhcert, provided they know its name. Red Hat Certification 6 and 7 is vulnerable to this issue.",
"id": "GHSA-4x9c-4g9p-35rm",
"modified": "2022-05-24T17:44:39Z",
"published": "2022-05-24T17:44:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3897"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593768"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5272-PF3M-MJF3
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50LG LNB, LND, LNU, and LNV smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password.
{
"affected": [],
"aliases": [
"CVE-2018-16946"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-12T01:29:00Z",
"severity": "HIGH"
},
"details": "LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log \u0026 Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password.",
"id": "GHSA-5272-pf3m-mjf3",
"modified": "2022-05-13T01:50:27Z",
"published": "2022-05-13T01:50:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16946"
},
{
"type": "WEB",
"url": "https://github.com/EgeBalci/LG-Smart-IP-Device-Backup-Download"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45394"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-529R-WPPW-C5CH
Vulnerability from github – Published: 2023-12-14 18:30 – Updated: 2023-12-14 18:30Dell vApp Manager, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote malicious user with high privileges could potentially exploit this vulnerability to read arbitrary files from the target system.
{
"affected": [],
"aliases": [
"CVE-2023-48661"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-14T16:15:49Z",
"severity": "MODERATE"
},
"details": "\nDell vApp Manager, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote malicious user with high privileges could potentially exploit this vulnerability to read arbitrary files from the target system.\n\n",
"id": "GHSA-529r-wppw-c5ch",
"modified": "2023-12-14T18:30:20Z",
"published": "2023-12-14T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48661"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000220427/dsa-2023-443-dell-powermaxos-5978-dell-unisphere-360-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-solutions-enabler-virtual-appliance-and-dell-powermax-eem-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-53H8-W7QC-W9RQ
Vulnerability from github – Published: 2026-01-13 21:31 – Updated: 2026-01-13 21:31Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices.
{
"affected": [],
"aliases": [
"CVE-2025-37168"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T20:16:04Z",
"severity": "HIGH"
},
"details": "Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices.",
"id": "GHSA-53h8-w7qc-w9rq",
"modified": "2026-01-13T21:31:44Z",
"published": "2026-01-13T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37168"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us\u0026docLocale=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-54MQ-99QQ-7HR5
Vulnerability from github – Published: 2025-05-28 18:33 – Updated: 2025-10-22 00:33The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a "core dump" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.
{
"affected": [],
"aliases": [
"CVE-2025-48928"
],
"database_specific": {
"cwe_ids": [
"CWE-528",
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-28T17:15:25Z",
"severity": "MODERATE"
},
"details": "The TeleMessage service through 2025-05-05 is based on a JSP application in which the heap content is roughly equivalent to a \"core dump\" in which a password previously sent over HTTP would be included in this dump, as exploited in the wild in May 2025.",
"id": "GHSA-54mq-99qq-7hr5",
"modified": "2025-10-22T00:33:18Z",
"published": "2025-05-28T18:33:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48928"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48928"
},
{
"type": "WEB",
"url": "https://www.wired.com/story/how-the-signal-knock-off-app-telemessage-got-hacked-in-20-minutes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5553-RF4F-G9QC
Vulnerability from github – Published: 2025-02-24 15:30 – Updated: 2026-06-01 15:30Files or Directories Accessible to External Parties vulnerability in Agito Computer Health4All allows Exploiting Incorrectly Configured Access Control Security Levels, Authentication Abuse.This issue affects Health4All: before 10.01.2025.
{
"affected": [],
"aliases": [
"CVE-2024-12917"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-24T15:15:12Z",
"severity": "HIGH"
},
"details": "Files or Directories Accessible to External Parties vulnerability in Agito Computer Health4All allows Exploiting Incorrectly Configured Access Control Security Levels, Authentication Abuse.This issue affects Health4All: before 10.01.2025.",
"id": "GHSA-5553-rf4f-g9qc",
"modified": "2026-06-01T15:30:32Z",
"published": "2025-02-24T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12917"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0042"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0042"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-56QR-6HFH-52CG
Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2022-06-03 00:00Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress.
{
"affected": [],
"aliases": [
"CVE-2022-29447"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-20T21:15:00Z",
"severity": "HIGH"
},
"details": "Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Hover Effects plugin \u003c= 2.1 at WordPress.",
"id": "GHSA-56qr-6hfh-52cg",
"modified": "2022-06-03T00:00:57Z",
"published": "2022-05-21T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29447"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/hover-effects/wordpress-hover-effects-plugin-2-1-authenticated-local-file-inclusion-lfi-vulnerability"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/hover-effects/#developers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-57GH-M6RQ-54CF
Vulnerability from github – Published: 2026-04-03 02:53 – Updated: 2026-04-03 02:53Summary
Media Local Roots Self-Whitelisting in appendLocalMediaParentRoots Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration
Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: v2026.3.28 still self-whitelists media parent dirs in src/media/local-roots.ts, but only after config already permits tool-fs root expansion, so the impact is narrower than the default-critical framing.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
1ca4261d7e055d0be141ed79ebb1365d0fbc7364— 2026-03-30T17:15:03+01:00
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T02:53:58Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nMedia Local Roots Self-Whitelisting in `appendLocalMediaParentRoots` Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: medium\n- Assessment: v2026.3.28 still self-whitelists media parent dirs in src/media/local-roots.ts, but only after config already permits tool-fs root expansion, so the impact is narrower than the default-critical framing.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `1ca4261d7e055d0be141ed79ebb1365d0fbc7364` \u2014 2026-03-30T17:15:03+01:00\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-57gh-m6rq-54cf",
"modified": "2026-04-03T02:53:58Z",
"published": "2026-04-03T02:53:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-57gh-m6rq-54cf"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/1ca4261d7e055d0be141ed79ebb1365d0fbc7364"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read \u0026 Credential Exfiltration"
}
GHSA-5824-6JFV-XR3R
Vulnerability from github – Published: 2022-05-26 00:01 – Updated: 2022-06-09 22:55In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading. A patch is available on the master branch of the repository.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gphper/ginadmin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-30428"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-01T21:12:49Z",
"nvd_published_at": "2022-05-25T16:15:00Z",
"severity": "HIGH"
},
"details": "In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading. A [patch](https://github.com/gphper/ginadmin/commit/726109f01ad23523715f36f7d272958064666a30) is available on the `master` branch of the repository.",
"id": "GHSA-5824-6jfv-xr3r",
"modified": "2022-06-09T22:55:49Z",
"published": "2022-05-26T00:01:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30428"
},
{
"type": "WEB",
"url": "https://github.com/gphper/ginadmin/issues/9"
},
{
"type": "WEB",
"url": "https://github.com/gphper/ginadmin/commit/726109f01ad23523715f36f7d272958064666a30"
},
{
"type": "PACKAGE",
"url": "github.com/gphper/ginadmin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary file read in ginadmin"
}
GHSA-58F3-CX8P-H8JG
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2024-04-23 22:30In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0"
},
{
"fixed": "7.56"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "7.0"
},
{
"fixed": "7.56"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-6922"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T22:30:57Z",
"nvd_published_at": "2019-01-22T15:29:00Z",
"severity": "MODERATE"
},
"details": "In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.",
"id": "GHSA-58f3-cx8p-h8jg",
"modified": "2024-04-23T22:30:57Z",
"published": "2022-05-13T01:36:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6922"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6922.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6922.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-3897"
},
{
"type": "WEB",
"url": "https://www.drupal.org/SA-CORE-2017-003"
},
{
"type": "WEB",
"url": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-06-21/drupal-core-multiple"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99219"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038781"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Drupal core access bypass vulnerability"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to disable public access.
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.