CWE-23
Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CVE-2025-58752 (GCVE-0-2025-58752)
Vulnerability from cvelistv5 – Published: 2025-09-08 22:56 – Updated: 2025-09-09 13:29
VLAI
Title
Vite's `server.fs` settings were not applied to HTML files
Summary
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: 'spa'` (default) or `appType: 'mpa'` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue.
Severity
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/vitejs/vite/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/vitejs/vite/commit/0ab19ea9fcb… | x_refsource_MISC |
| https://github.com/vitejs/vite/commit/14015d794f6… | x_refsource_MISC |
| https://github.com/vitejs/vite/commit/482000f57f5… | x_refsource_MISC |
| https://github.com/vitejs/vite/commit/6f01ff4fe07… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58752",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:13:50.971669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:29:30.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vite",
"vendor": "vitejs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.4.20"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.3.6"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.0.7"
},
{
"status": "affected",
"version": "\u003e= 7.1.0, \u003c 7.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, any HTML files on the machine were served regardless of the `server.fs` settings. Only apps that explicitly expose the Vite dev server to the network (using --host or server.host config option) and use `appType: \u0027spa\u0027` (default) or `appType: \u0027mpa\u0027` are affected. This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. Versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20 fix the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T22:56:58.039Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3"
},
{
"name": "https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f"
},
{
"name": "https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e"
},
{
"name": "https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea"
},
{
"name": "https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6"
}
],
"source": {
"advisory": "GHSA-jqfw-vq24-v9c3",
"discovery": "UNKNOWN"
},
"title": "Vite\u0027s `server.fs` settings were not applied to HTML files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58752",
"datePublished": "2025-09-08T22:56:58.039Z",
"dateReserved": "2025-09-04T19:18:09.499Z",
"dateUpdated": "2025-09-09T13:29:30.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58760 (GCVE-0-2025-58760)
Vulnerability from cvelistv5 – Published: 2025-09-09 19:56 – Updated: 2025-09-10 20:18
VLAI
Title
Tautulli vulnerable to Unauthenticated Path Traversal in `/image` endpoint
Summary
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. In Tautulli, the `/image` API endpoint is used to serve static images from the application's data directory to users. This endpoint can be accessed without authentication, and its intended purpose is for server background images and icons within the user interface. Attackers can exfiltrate files from the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue.
Severity
8.6 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Tautulli/Tautulli/security/adv… | x_refsource_CONFIRM |
| https://github.com/Tautulli/Tautulli/commit/47566… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58760",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T20:17:52.867552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T20:18:02.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Tautulli",
"vendor": "Tautulli",
"versions": [
{
"status": "affected",
"version": "\u003c 2.16.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server\u0027s filesystem. In Tautulli, the `/image` API endpoint is used to serve static images from the application\u0027s data directory to users. This endpoint can be accessed without authentication, and its intended purpose is for server background images and icons within the user interface. Attackers can exfiltrate files from the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T19:56:57.962Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-8g4r-8f3f-hghp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-8g4r-8f3f-hghp"
},
{
"name": "https://github.com/Tautulli/Tautulli/commit/47566128e2e5dde98980d59b7a51b98173bc0b40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Tautulli/Tautulli/commit/47566128e2e5dde98980d59b7a51b98173bc0b40"
}
],
"source": {
"advisory": "GHSA-8g4r-8f3f-hghp",
"discovery": "UNKNOWN"
},
"title": "Tautulli vulnerable to Unauthenticated Path Traversal in `/image` endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58760",
"datePublished": "2025-09-09T19:56:57.962Z",
"dateReserved": "2025-09-04T19:18:09.500Z",
"dateUpdated": "2025-09-10T20:18:02.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59336 (GCVE-0-2025-59336)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:59 – Updated: 2025-09-16 18:26
VLAI
Title
Relative Path Traversal in Luanox
Summary
Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1.
Severity
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/lumen-oss/luanox/security/advi… | x_refsource_CONFIRM |
| https://github.com/lumen-oss/luanox/commit/2b6237… | x_refsource_MISC |
| https://github.com/lumen-oss/luanox/commit/519864… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T17:29:06.976997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:26:11.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "luanox",
"vendor": "lumen-oss",
"versions": [
{
"status": "affected",
"version": "\u003c 0.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Luanox is a module host for Lua packages. Prior to 0.1.1, a file traversal vulnerability can cause potential denial of service by overwriting Phoenix runtime files. Package names like ../../package are not properly filtered and pass the validity check of the rockspec verification system. This causes the uploaded file to be stored at the relative path location. If planned carefully, this could overwrite a runtime file and cause the website to crash. This vulnerability is fixed by 0.1.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:59:17.505Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lumen-oss/luanox/security/advisories/GHSA-42c5-x4pj-4p3w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lumen-oss/luanox/security/advisories/GHSA-42c5-x4pj-4p3w"
},
{
"name": "https://github.com/lumen-oss/luanox/commit/2b6237f3baaa1d905c491fca29f8301835721c46",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lumen-oss/luanox/commit/2b6237f3baaa1d905c491fca29f8301835721c46"
},
{
"name": "https://github.com/lumen-oss/luanox/commit/5198640c9644e2fcef5809f83b9ab0a9b4d0eeb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lumen-oss/luanox/commit/5198640c9644e2fcef5809f83b9ab0a9b4d0eeb2"
}
],
"source": {
"advisory": "GHSA-42c5-x4pj-4p3w",
"discovery": "UNKNOWN"
},
"title": "Relative Path Traversal in Luanox"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59336",
"datePublished": "2025-09-16T16:59:17.505Z",
"dateReserved": "2025-09-12T12:36:24.635Z",
"dateUpdated": "2025-09-16T18:26:11.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59341 (GCVE-0-2025-59341)
Vulnerability from cvelistv5 – Published: 2025-09-17 17:55 – Updated: 2025-09-17 18:09
VLAI
Title
Local File Inclusion in esm.sh
Summary
esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources).
Severity
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/esm-dev/esm.sh/security/adviso… | x_refsource_CONFIRM |
| https://github.com/esm-dev/esm.sh/blob/c62f191d32… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59341",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T18:07:46.500692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T18:09:50.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esm.sh",
"vendor": "esm-dev",
"versions": [
{
"status": "affected",
"version": "\u003c= 136"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T17:55:25.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esm-dev/esm.sh/security/advisories/GHSA-49pv-gwxp-532r"
},
{
"name": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/esm-dev/esm.sh/blob/c62f191d32639314ff0525d1c3c0e19ea2b16143/server/router.go#L1168"
}
],
"source": {
"advisory": "GHSA-49pv-gwxp-532r",
"discovery": "UNKNOWN"
},
"title": "Local File Inclusion in esm.sh"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59341",
"datePublished": "2025-09-17T17:55:25.827Z",
"dateReserved": "2025-09-12T12:36:24.635Z",
"dateUpdated": "2025-09-17T18:09:50.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59682 (GCVE-0-2025-59682)
Vulnerability from cvelistv5 – Published: 2025-10-01 00:00 – Updated: 2025-11-04 21:13
VLAI
Summary
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.
Severity
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | Django |
Affected:
4.2 , < 4.2.25
(custom)
Affected: 5.1 , < 5.1.13 (custom) Affected: 5.2 , < 5.2.7 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-01T19:10:29.537724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T19:10:39.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:56.342Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/01/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Django",
"vendor": "djangoproject",
"versions": [
{
"lessThan": "4.2.25",
"status": "affected",
"version": "4.2",
"versionType": "custom"
},
{
"lessThan": "5.1.13",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "5.2.7",
"status": "affected",
"version": "5.2",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.2.25",
"versionStartIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.1.13",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.2.7",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the \"startapp --template\" and \"startproject --template\" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T18:51:53.204Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"url": "https://groups.google.com/g/django-announce"
},
{
"url": "https://www.djangoproject.com/weblog/2025/oct/01/security-releases/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-59682",
"datePublished": "2025-10-01T00:00:00.000Z",
"dateReserved": "2025-09-18T00:00:00.000Z",
"dateUpdated": "2025-11-04T21:13:56.342Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59776 (GCVE-0-2025-59776)
Vulnerability from cvelistv5 – Published: 2025-10-23 22:17 – Updated: 2025-10-24 14:27
VLAI
Title
AutomationDirect Productivity Suite Relative Path Traversal
Summary
A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine.
Severity
CWE
Assigner
References
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| AutomationDirect | Productivity Suite |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-622 CPU |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-550E CPU |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-530 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 2000 P2-622 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 2000 P2-550 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 1000 P1-550 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 1000 P1-540 CPU |
Affected:
0 , < SW v4.4.1.19
(custom)
|
Date Public
2025-10-23 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T14:27:37.744469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T14:27:46.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Productivity Suite",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-622 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-550E CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-530 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 2000 P2-622 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 2000 P2-550 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 1000 P1-550 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 1000 P1-540 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThan": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_suite:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-622_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-550e_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-530_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_2000_p2-622_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_2000_p2-550_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_1000_p1-550_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_1000_p1-540_cpu:*:*:*:*:*:*:*:*",
"versionEndExcluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luca Borzacchiello of Nozomi Networks reported these vulnerabilities to AutomationDirect."
}
],
"datePublic": "2025-10-23T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and create arbitrary directories on the target machine."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T22:17:23.123Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
},
{
"url": "https://www.automationdirect.com/support/software-downloads"
},
{
"url": "https://support.automationdirect.com/docs/securityconsiderations.pdf"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAutomationDirect recommends that users do the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate the Productivity Suite programming software to version 4.5.0.x or higher.\u003c/li\u003e\u003cli\u003eUpdate the firmware of Productivity PLCs to the latest version. \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.automationdirect.com/support/software-downloads\"\u003ehttps://www.automationdirect.com/support/software-downloads\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAlthough automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\u003c/li\u003e\u003cli\u003eIt is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\u003c/li\u003e\u003cli\u003eAutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "AutomationDirect recommends that users do the following:\n\n * Update the Productivity Suite programming software to version 4.5.0.x or higher.\n * Update the firmware of Productivity PLCs to the latest version. https://www.automationdirect.com/support/software-downloads \n * Although automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\n * It is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\n * AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application."
}
],
"source": {
"advisory": "ICSA-25-296-01",
"discovery": "EXTERNAL"
},
"title": "AutomationDirect Productivity Suite Relative Path Traversal",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhysically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\u003c/li\u003e\u003cli\u003eConfigure network segmentation to isolate the PLC from other devices and systems within the organization.\u003c/li\u003e\u003cli\u003eImplement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\u003c/li\u003e\u003cli\u003ePlease refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.automationdirect.com/docs/securityconsiderations.pdf\"\u003eAutomationDirect\u0027s security considerations\u003c/a\u003e\u0026nbsp;for additional information.\u003c/li\u003e\u003cli\u003eIf you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "AutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\n\n * Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\n * Configure network segmentation to isolate the PLC from other devices and systems within the organization.\n * Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\n * Please refer to AutomationDirect\u0027s security considerations https://support.automationdirect.com/docs/securityconsiderations.pdf \u00a0for additional information.\n * If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance."
}
],
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-59776",
"datePublished": "2025-10-23T22:17:23.123Z",
"dateReserved": "2025-10-21T21:55:11.887Z",
"dateUpdated": "2025-10-24T14:27:46.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59835 (GCVE-0-2025-59835)
Vulnerability from cvelistv5 – Published: 2025-10-02 18:59 – Updated: 2025-10-02 19:50
VLAI
Title
LangBot has a cross-directory file upload vulnerability, which could lead to system takeover
Summary
LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5.
Severity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/langbot-app/LangBot/security/a… | x_refsource_CONFIRM |
| https://github.com/langbot-app/LangBot/pull/1691 | x_refsource_MISC |
| https://github.com/langbot-app/LangBot/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| langbot-app | LangBot |
Affected:
>= 4.1.0, < 4.3.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59835",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-02T19:50:28.048098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T19:50:39.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "LangBot",
"vendor": "langbot-app",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 4.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangBot is a global IM bot platform designed for LLMs. In versions 4.1.0 up to but not including 4.3.5, authorized attackers can exploit the /api/v1/files/documents interface to perform arbitrary file uploads. Since this interface does not strictly restrict the storage directory of files on the server, it is possible to upload dangerous files to specific system directories. This is fixed in version 4.3.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-02T18:59:42.808Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langbot-app/LangBot/security/advisories/GHSA-7j3j-qj83-9qv4"
},
{
"name": "https://github.com/langbot-app/LangBot/pull/1691",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langbot-app/LangBot/pull/1691"
},
{
"name": "https://github.com/langbot-app/LangBot/releases/tag/v4.3.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langbot-app/LangBot/releases/tag/v4.3.5"
}
],
"source": {
"advisory": "GHSA-7j3j-qj83-9qv4",
"discovery": "UNKNOWN"
},
"title": "LangBot has a cross-directory file upload vulnerability, which could lead to system takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59835",
"datePublished": "2025-10-02T18:59:42.808Z",
"dateReserved": "2025-09-22T14:34:03.471Z",
"dateUpdated": "2025-10-02T19:50:39.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-60020 (GCVE-0-2025-60020)
Vulnerability from cvelistv5 – Published: 2025-09-24 00:00 – Updated: 2025-09-24 14:05
VLAI
Summary
nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data.
Severity
6.4 (Medium)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-60020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-24T14:04:47.418983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T14:05:06.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NNCP",
"vendor": "NNCP",
"versions": [
{
"lessThan": "8.12.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "nncp before 8.12.0 allows path traversal (for reading or writing) during freqing and file saving via a crafted path in packet data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T12:58:15.170Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://www.nncpgo.org/Release-8_005f12_005f0.html"
},
{
"url": "http://lists.cypherpunks.su/archive/nncp-devel/CAO-d-4riai9EZx4gVfekow-BCtTn07k8BB1ZdsopPVw=scWD1A@mail.gmail.com/T/#md678a00df1020bb811f47f42ef33c54b789cddd7"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-60020",
"datePublished": "2025-09-24T00:00:00.000Z",
"dateReserved": "2025-09-24T00:00:00.000Z",
"dateUpdated": "2025-09-24T14:05:06.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-60023 (GCVE-0-2025-60023)
Vulnerability from cvelistv5 – Published: 2025-10-23 22:21 – Updated: 2025-10-24 14:27
VLAI
Title
AutomationDirect Productivity Suite Relative Path Traversal
Summary
A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.
Severity
CWE
Assigner
References
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| AutomationDirect | Productivity Suite |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-622 CPU |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-550E CPU |
Affected:
0 , ≤ SW V4.2.1.9
(custom)
|
|
| AutomationDirect | Productivity 3000 P3-530 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 2000 P2-622 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 2000 P2-550 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 1000 P1-550 CPU |
Affected:
0 , ≤ SW v4.4.1.19
(custom)
|
|
| AutomationDirect | Productivity 1000 P1-540 CPU |
Affected:
0 , < SW v4.4.1.19
(custom)
|
Date Public
2025-10-23 16:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-60023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T14:27:05.405233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T14:27:12.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Productivity Suite",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-622 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-550E CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW V4.2.1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 3000 P3-530 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 2000 P2-622 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 2000 P2-550 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 1000 P1-550 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThanOrEqual": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Productivity 1000 P1-540 CPU",
"vendor": "AutomationDirect",
"versions": [
{
"lessThan": "SW v4.4.1.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_suite:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-622_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-550e_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.2.1.9",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_3000_p3-530_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_2000_p2-622_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_2000_p2-550_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_1000_p1-550_cpu:*:*:*:*:*:*:*:*",
"versionEndIncluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:automationdirect:productivity_1000_p1-540_cpu:*:*:*:*:*:*:*:*",
"versionEndExcluding": "sw_v4.4.1.19",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luca Borzacchiello of Nozomi Networks reported these vulnerabilities to AutomationDirect."
}
],
"datePublic": "2025-10-23T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "A relative path traversal vulnerability was discovered in Productivity Suite software version 4.4.1.19. The vulnerability allows an unauthenticated remote attacker to interact with the ProductivityService PLC simulator and delete arbitrary directories on the target machine."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T22:21:05.084Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-296-01"
},
{
"url": "https://www.automationdirect.com/support/software-downloads"
},
{
"url": "https://support.automationdirect.com/docs/securityconsiderations.pdf"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-296-01.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAutomationDirect recommends that users do the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate the Productivity Suite programming software to version 4.5.0.x or higher.\u003c/li\u003e\u003cli\u003eUpdate the firmware of Productivity PLCs to the latest version. \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.automationdirect.com/support/software-downloads\"\u003ehttps://www.automationdirect.com/support/software-downloads\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAlthough automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\u003c/li\u003e\u003cli\u003eIt is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\u003c/li\u003e\u003cli\u003eAutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "AutomationDirect recommends that users do the following:\n\n * Update the Productivity Suite programming software to version 4.5.0.x or higher.\n * Update the firmware of Productivity PLCs to the latest version. https://www.automationdirect.com/support/software-downloads \n * Although automation networks and systems come equipped with built-in password protection mechanisms, this represents a fraction of the security measures needed to safeguard these systems.\n * It is imperative that automation control system networks integrate data protection and security measures that match, if not exceed, the robustness of conventional business computer systems.\n * AutomationDirect advises users of PLCs, HMI products, and SCADA systems to conduct a thorough network security analysis to ascertain the appropriate level of security necessary for their specific application."
}
],
"source": {
"advisory": "ICSA-25-296-01",
"discovery": "EXTERNAL"
},
"title": "AutomationDirect Productivity Suite Relative Path Traversal",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\u003c/p\u003e\u003cul\u003e\u003cli\u003ePhysically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\u003c/li\u003e\u003cli\u003eConfigure network segmentation to isolate the PLC from other devices and systems within the organization.\u003c/li\u003e\u003cli\u003eImplement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\u003c/li\u003e\u003cli\u003ePlease refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.automationdirect.com/docs/securityconsiderations.pdf\"\u003eAutomationDirect\u0027s security considerations\u003c/a\u003e\u0026nbsp;for additional information.\u003c/li\u003e\u003cli\u003eIf you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "AutomationDirect has identified the following mitigations for instances where systems cannot be upgraded to the latest version:\n\n * Physically disconnect the PLC from any external networks, including the internet, local area networks (LANs), and other interconnected systems.\n * Configure network segmentation to isolate the PLC from other devices and systems within the organization.\n * Implement firewall rules or network access control (NAC) policies to block incoming and outgoing traffic to the PLC.\n * Please refer to AutomationDirect\u0027s security considerations https://support.automationdirect.com/docs/securityconsiderations.pdf \u00a0for additional information.\n * If you have any questions regarding this issue, please contact AutomationDirect Technical Support at 770-844-4200 or 800-633-0405 for further assistance."
}
],
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-60023",
"datePublished": "2025-10-23T22:21:05.084Z",
"dateReserved": "2025-10-21T21:55:11.899Z",
"dateUpdated": "2025-10-24T14:27:12.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-62187 (GCVE-0-2025-62187)
Vulnerability from cvelistv5 – Published: 2025-10-07 00:00 – Updated: 2025-10-08 13:24
VLAI
Summary
In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder).
Severity
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62187",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-08T13:24:27.119690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T13:24:39.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Anki",
"vendor": "Ankitects",
"versions": [
{
"lessThan": "25.02.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ankitects:anki:*:*:*:*:*:*:*:*",
"versionEndExcluding": "25.02.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Ankitects Anki before 25.02.6, crafted sound file references could cause files to be written to arbitrary locations on Windows and Linux (media file pathnames are not necessarily relative to the media folder)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T21:07:45.482Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ankitects/anki/releases/tag/25.02.6"
},
{
"url": "https://github.com/ankitects/anki/pull/4041"
},
{
"url": "https://github.com/ankitects/anki/pull/4041/commits/51476e05b281737a0c2924342bccdb6e5be52ea9"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-62187",
"datePublished": "2025-10-07T00:00:00.000Z",
"dateReserved": "2025-10-07T00:00:00.000Z",
"dateUpdated": "2025-10-08T13:24:39.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation ID: MIT-5.1
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.
- Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering "/" is insufficient protection if the filesystem also supports the use of "\" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if "../" sequences are removed from the ".../...//" string in a sequential fashion, two instances of "../" would be removed from the original string, but the remaining characters would still form the "../" string.
Mitigation ID: MIT-20.1
Phase: Implementation
Strategy: Input Validation
Description:
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
- Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".." sequences and symbolic links (CWE-23, CWE-59). This includes:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP
Mitigation ID: MIT-29
Phase: Operation
Strategy: Firewall
Description:
- Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.