CWE-548
Exposure of Information Through Directory Listing
The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.
CVE-2021-47718 (GCVE-0-2021-47718)
Vulnerability from cvelistv5 – Published: 2025-12-09 20:40 – Updated: 2026-04-07 14:05
VLAI
Title
OpenBMCS Directory Listing Information Disclosure
Summary
OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information.
Severity
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/50671 | exploit |
| https://www.openbmcs.com | product |
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | third-party-advisory |
| https://www.vulncheck.com/advisories/openbmcs-dir… | third-party-advisory |
Date Public
2022-01-18 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47718",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T16:58:19.798973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T16:58:26.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenBMCS",
"vendor": "OPEN BMCS",
"versions": [
{
"status": "affected",
"version": "2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
}
],
"datePublic": "2022-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information.\u003c/p\u003e"
}
],
"value": "OpenBMCS 2.4 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive files by exploiting directory listing functionality. Attackers can browse directories like /debug/ and /php/ to discover configuration files, database credentials, and system information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:05:41.482Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-50671",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50671"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://www.openbmcs.com"
},
{
"name": "Zero Science Lab Disclosure (ZSL-2022-5695)",
"tags": [
"third-party-advisory"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php"
},
{
"name": "VulnCheck Advisory: OpenBMCS Directory Listing Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openbmcs-directory-listing-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OpenBMCS Directory Listing Information Disclosure",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47718",
"datePublished": "2025-12-09T20:40:51.688Z",
"dateReserved": "2025-12-05T19:10:29.047Z",
"dateUpdated": "2026-04-07T14:05:41.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-30625 (GCVE-0-2022-30625)
Vulnerability from cvelistv5 – Published: 2022-07-18 12:58 – Updated: 2024-09-17 03:47
VLAI
Title
Chcnav - P5E GNSS Directory listing
Summary
Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.
Severity
5.7 (Medium)
CWE
- CWE-548 - Information Exposure Through Directory Listing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.gov.il/en/Departments/faq/cve_advisories | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Chcnav | Chcnav - P5E GNSS |
Affected:
4.2 , < 4.1*
(custom)
|
Date Public
2022-07-13 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:56:13.184Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Chcnav - P5E GNSS",
"vendor": "Chcnav",
"versions": [
{
"lessThan": "4.1*",
"status": "affected",
"version": "4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "MetaData"
}
],
"datePublic": "2022-07-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Information Exposure Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-18T12:58:39.000Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"source": {
"defect": [
"ILVN-2022-0035"
],
"discovery": "EXTERNAL"
},
"title": "Chcnav - P5E GNSS Directory listing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@cyber.gov.il",
"DATE_PUBLIC": "2022-07-13T11:59:00.000Z",
"ID": "CVE-2022-30625",
"STATE": "PUBLIC",
"TITLE": "Chcnav - P5E GNSS Directory listing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Chcnav - P5E GNSS",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "4.1",
"version_value": "4.2"
}
]
}
}
]
},
"vendor_name": "Chcnav"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "MetaData"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory listing is a web server function that displays the directory contents when there is no index file in a specific website directory. A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-548 Information Exposure Through Directory Listing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gov.il/en/Departments/faq/cve_advisories",
"refsource": "MISC",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
]
},
"source": {
"defect": [
"ILVN-2022-0035"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2022-30625",
"datePublished": "2022-07-18T12:58:39.399Z",
"dateReserved": "2022-05-12T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:47:36.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36243 (GCVE-0-2022-36243)
Vulnerability from cvelistv5 – Published: 2023-05-30 00:00 – Updated: 2025-01-13 20:56
VLAI
Title
Directory Traversal on Shop Beat Services
Summary
Shop Beat Solutions (pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Directory Traversal via server.shopbeat.co.za. Information Exposure Through Directory Listing vulnerability in "studio" software of Shop Beat. This issue affects: Shop Beat studio studio versions prior to 3.2.57 on arm.
Severity
5.3 (Medium)
CWE
- CWE-548 - Information Exposure Through Directory Listing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.shopbeat.co.za |
Impacted products
Date Public
2023-05-23 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:04.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.shopbeat.co.za"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-36243",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-13T20:56:00.626503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-13T20:56:36.011Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"platforms": [
"arm"
],
"product": "studio",
"vendor": "Shop Beat",
"versions": [
{
"lessThan": "3.2.57",
"status": "affected",
"version": "studio",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Shop Beat thanks Emirates National Oil Company Limited (ENOC) LLC for the above discovery."
}
],
"datePublic": "2023-05-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Shop Beat Solutions (pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to Directory Traversal via server.shopbeat.co.za. Information Exposure Through Directory Listing vulnerability in \"studio\" software of Shop Beat. This issue affects: Shop Beat studio studio versions prior to 3.2.57 on arm."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Information Exposure Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T00:00:00.000Z",
"orgId": "d3f162d7-5820-4c58-beef-03f43baaf8ad",
"shortName": "ShopBeat"
},
"references": [
{
"url": "https://www.shopbeat.co.za"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Directory Traversal on Shop Beat Services",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "d3f162d7-5820-4c58-beef-03f43baaf8ad",
"assignerShortName": "ShopBeat",
"cveId": "CVE-2022-36243",
"datePublished": "2023-05-30T00:00:00.000Z",
"dateReserved": "2022-07-18T00:00:00.000Z",
"dateUpdated": "2025-01-13T20:56:36.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-50788 (GCVE-0-2022-50788)
Vulnerability from cvelistv5 – Published: 2025-12-30 22:41 – Updated: 2026-01-05 19:34
VLAI
Title
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Information Disclosure via Log Directory
Summary
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication.
Severity
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | third-party-advisory |
| https://packetstormsecurity.com/files/170259/SOUN… | exploit |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entry |
| https://www.sound4.com/ | product |
| https://www.vulncheck.com/advisories/sound-impact… | third-party-advisory |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| SOUND4 Ltd. | Impact/Pulse/First |
Affected:
Version 2: 1.1/2.15
|
|
| SOUND4 Ltd. | Impact/Pulse Eco |
Affected:
1.16
|
|
| SOUND4 Ltd. | BigVoice4 |
Affected:
1.2
|
|
| SOUND4 Ltd. | BigVoice2 |
Affected:
1.30
|
|
| SOUND4 Ltd. | Stream |
Affected:
1.1/2.4.29
|
|
| Kantar Media | WM2 |
Affected:
1.11
|
Date Public
2022-12-14 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50788",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:34:46.699842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:34:54.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Impact/Pulse/First",
"vendor": "SOUND4 Ltd.",
"versions": [
{
"status": "affected",
"version": "Version 2: 1.1/2.15"
}
]
},
{
"product": "Impact/Pulse Eco",
"vendor": "SOUND4 Ltd.",
"versions": [
{
"status": "affected",
"version": "1.16"
}
]
},
{
"product": "BigVoice4",
"vendor": "SOUND4 Ltd.",
"versions": [
{
"status": "affected",
"version": "1.2"
}
]
},
{
"product": "BigVoice2",
"vendor": "SOUND4 Ltd.",
"versions": [
{
"status": "affected",
"version": "1.30"
}
]
},
{
"product": "Stream",
"vendor": "SOUND4 Ltd.",
"versions": [
{
"status": "affected",
"version": "1.1/2.4.29"
}
]
},
{
"product": "WM2",
"vendor": "Kantar Media",
"versions": [
{
"status": "affected",
"version": "1.11"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
}
],
"datePublic": "2022-12-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SOUND4 IMPACT/FIRST/PULSE/Eco \u003c=2.x contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive log files. Attackers can directly browse the /log directory to retrieve system and sensitive information without authentication."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T22:41:36.215Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Zero Science Lab Disclosure (ZSL-2022-5732)",
"tags": [
"third-party-advisory"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5732.php"
},
{
"name": "Packet Storm Security Exploit Details",
"tags": [
"exploit"
],
"url": "https://packetstormsecurity.com/files/170259/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-Information-Disclosure.html"
},
{
"name": "IBM X-Force Vulnerability Exchange Entry",
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/247921"
},
{
"name": "SOUND4 Product Homepage",
"tags": [
"product"
],
"url": "https://www.sound4.com/"
},
{
"name": "VulnCheck Advisory: SOUND4 IMPACT/FIRST/PULSE/Eco \u003c=2.x Information Disclosure via Log Directory",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-information-disclosure-via-log-directory"
}
],
"title": "SOUND4 IMPACT/FIRST/PULSE/Eco \u003c=2.x Information Disclosure via Log Directory",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50788",
"datePublished": "2025-12-30T22:41:36.215Z",
"dateReserved": "2025-12-26T16:41:38.889Z",
"dateUpdated": "2026-01-05T19:34:54.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-38265 (GCVE-0-2023-38265)
Vulnerability from cvelistv5 – Published: 2026-02-17 19:06 – Updated: 2026-02-17 22:04
VLAI
Title
Improper Access Control and Exposure of Information Through Directory Listing vulnerabilities affect IBM Cloud Pak System[, ]
Summary
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system.
Severity
5.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7259955 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Cloud Pak System |
Affected:
2.3.3.6 , ≤ 2.1.0
(semver)
Affected: 2.3.3.7 Affected: 2.3.4.0 Affected: 2.3.4.1 Affected: 2.3.5.0 cpe:2.3:a:ibm:cloud_pak_system:2.3.3.6:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_system:2.3.3.7:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_system:2.3.4.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:cloud_pak_system:2.3.5.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T19:52:30.062814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T19:52:46.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:cloud_pak_system:2.3.3.6:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_system:2.3.3.7:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_system:2.3.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_system:2.3.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_system:2.3.5.0:*:*:*:*:*:*:*"
],
"product": "Cloud Pak System",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "2.3.3.6",
"versionType": "semver"
},
{
"status": "affected",
"version": "2.3.3.7"
},
{
"status": "affected",
"version": "2.3.4.0"
},
{
"status": "affected",
"version": "2.3.4.1"
},
{
"status": "affected",
"version": "2.3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system.\u003c/p\u003e"
}
],
"value": "IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T22:04:05.120Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7259955"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis Security Bulletin applies to IBM Cloud Pak System, IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite. For Intel releases, IBM strongly recommends addressing this vulnerability now by upgrading to\u0026nbsp; v2.3.4.1 Interim Fix 1 or latest upgrade to Cloud Pak System 2.3.6.1 , For Power, contact IBM Support. For unsupported versions the recommendation is to upgrade/migrate to supported version of the product.\u003c/p\u003e"
}
],
"value": "This Security Bulletin applies to IBM Cloud Pak System, IBM Cloud Pak System Software, IBM Cloud Pak System Software Suite. For Intel releases, IBM strongly recommends addressing this vulnerability now by upgrading to\u00a0 v2.3.4.1 Interim Fix 1 or latest upgrade to Cloud Pak System 2.3.6.1 , For Power, contact IBM Support. For unsupported versions the recommendation is to upgrade/migrate to supported version of the product."
}
],
"title": "Improper Access Control and Exposure of Information Through Directory Listing vulnerabilities affect IBM Cloud Pak System[, ]",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2023-38265",
"datePublished": "2026-02-17T19:06:58.470Z",
"dateReserved": "2023-07-14T00:46:14.889Z",
"dateUpdated": "2026-02-17T22:04:05.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2340 (GCVE-0-2024-2340)
Vulnerability from cvelistv5 – Published: 2024-04-09 18:59 – Updated: 2026-04-08 17:06
VLAI
Title
Avada <= 7.11.6 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing
Summary
The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism.
Severity
5.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeFusion | Avada | Website Builder For WordPress & WooCommerce |
Affected:
0 , ≤ 7.11.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8db8bbc3-43ca-4ef5-a44d-2987c8597961?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://avada.com/documentation/avada-changelog/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:theme-fusion:avada:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "avada",
"vendor": "theme-fusion",
"versions": [
{
"lessThan": "7.11.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2340",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T18:25:37.807880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T18:27:14.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Avada | Website Builder For WordPress \u0026 WooCommerce",
"vendor": "ThemeFusion",
"versions": [
{
"lessThanOrEqual": "7.11.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Zeeshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the \u0027/wp-content/uploads/fusion-forms/\u0027 directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:13.768Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8db8bbc3-43ca-4ef5-a44d-2987c8597961?source=cve"
},
{
"url": "https://avada.com/documentation/avada-changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-20T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Avada \u003c= 7.11.6 - Unauthenticated Sensitive Information Exposure via Form Uploads Directory Listing"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2340",
"datePublished": "2024-04-09T18:59:06.567Z",
"dateReserved": "2024-03-08T20:06:51.188Z",
"dateUpdated": "2026-04-08T17:06:13.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-28766 (GCVE-0-2024-28766)
Vulnerability from cvelistv5 – Published: 2025-01-27 01:14 – Updated: 2025-02-12 20:41
VLAI
Title
IBM Security Directory Integrator information disclosure
Summary
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could disclose sensitive information about directory contents that could aid in further attacks against the system.
Severity
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Security Directory Integrator |
Affected:
7.2.0
cpe:2.3:a:ibm:security_directory_integrator:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:security_directory_integrator:10.0.0:*:*:*:*:*:*:* |
|
| IBM | Security Verify Directory Integrator |
Affected:
10.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:25:30.504687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:32.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:security_directory_integrator:7.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:security_directory_integrator:10.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Security Directory Integrator",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "7.2.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Security Verify Directory Integrator",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "10.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could disclose sensitive information about directory contents that could aid in further attacks against the system."
}
],
"value": "IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could disclose sensitive information about directory contents that could aid in further attacks against the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T01:14:42.274Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7161444"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Security Directory Integrator information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28766",
"datePublished": "2025-01-27T01:14:42.274Z",
"dateReserved": "2024-03-10T12:22:43.138Z",
"dateUpdated": "2025-02-12T20:41:32.572Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35113 (GCVE-0-2024-35113)
Vulnerability from cvelistv5 – Published: 2025-01-25 13:32 – Updated: 2025-01-27 17:29
VLAI
Title
IBM Control Center information disclosure
Summary
IBM Control Center 6.2.1 and 6.3.1
could allow an authenticated user to obtain sensitive information exposed through a directory listing.
Severity
4.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7174796 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Control Center |
Affected:
6.2.1, 6.3.1
cpe:2.3:a:ibm:control_center:6.2.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:control_center:6.3.1.0:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T17:29:37.014325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T17:29:43.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:control_center:6.2.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:control_center:6.3.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Control Center",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "6.2.1, 6.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Control Center 6.2.1 and 6.3.1 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow an authenticated user to obtain sensitive information exposed through a directory listing.\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "IBM Control Center 6.2.1 and 6.3.1 \n\n\n\ncould allow an authenticated user to obtain sensitive information exposed through a directory listing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-25T13:32:39.872Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7174796"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Control Center information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-35113",
"datePublished": "2025-01-25T13:32:39.872Z",
"dateReserved": "2024-05-09T16:27:02.677Z",
"dateUpdated": "2025-01-27T17:29:43.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3707 (GCVE-0-2024-3707)
Vulnerability from cvelistv5 – Published: 2024-04-12 13:52 – Updated: 2024-08-09 15:39
VLAI
Title
Exposure of Information Through Directory Listing vulnerability in OpenGnsys
Summary
Information exposure vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to enumerate all files in the web tree by accessing a php file.
Severity
5.3 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
Date Public
2024-04-12 10:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:01.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys"
},
{
"tags": [
"x_transferred"
],
"url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opengnsys:opengnsys:1.1.1d:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "opengnsys",
"vendor": "opengnsys",
"versions": [
{
"status": "affected",
"version": "1.1.1d"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T14:15:58.308159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T15:39:49.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenGnsys",
"vendor": "OpenGnsys",
"versions": [
{
"status": "affected",
"version": "1.1.1d"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Gabald\u00f3n Jul\u00e1"
},
{
"lang": "en",
"type": "finder",
"value": "Javier Medina Munuera"
},
{
"lang": "en",
"type": "finder",
"value": "Antonio Jos\u00e9 G\u00e1lvez S\u00e1nchez"
}
],
"datePublic": "2024-04-12T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to enumerate all files in the web tree by accessing a php file."
}
],
"value": "Information exposure vulnerability in OpenGnsys affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to enumerate all files in the web tree by accessing a php file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548: Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T12:48:24.659Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys"
},
{
"url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The OpenGnsys development team has released a security patch that resolves the reported vulnerabilities. These fixes will be included in the next version to be released shortly."
}
],
"value": "The OpenGnsys development team has released a security patch that resolves the reported vulnerabilities. These fixes will be included in the next version to be released shortly."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Exposure of Information Through Directory Listing vulnerability in OpenGnsys",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-3707",
"datePublished": "2024-04-12T13:52:30.361Z",
"dateReserved": "2024-04-12T10:44:54.894Z",
"dateUpdated": "2024-08-09T15:39:49.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45096 (GCVE-0-2024-45096)
Vulnerability from cvelistv5 – Published: 2024-09-05 15:34 – Updated: 2024-09-05 15:47
VLAI
Title
IBM Aspera Faspex information disclosure
Summary
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user with access to the package to obtain sensitive information through a directory listing.
Severity
6.5 (Medium)
CWE
- CWE-548 - Exposure of Information Through Directory Listing
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Aspera Faspex |
Affected:
5.0.0 , ≤ 5.0.9
(semver)
cpe:2.3:a:ibm:aspera_faspex:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:aspera_faspex:5.0.9:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T15:46:58.967984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T15:47:08.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:aspera_faspex:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:aspera_faspex:5.0.9:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Aspera Faspex",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "5.0.9",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jan van der Put, Jasper Westerman, Yanick de Pater of REQON B.V."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user with access to the package to obtain sensitive information through a directory listing."
}
],
"value": "IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user with access to the package to obtain sensitive information through a directory listing."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-548",
"description": "CWE-548 Exposure of Information Through Directory Listing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T15:34:22.413Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"url": "https://www.ibm.com/support/pages/node/7167255"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Aspera Faspex information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45096",
"datePublished": "2024-09-05T15:34:22.413Z",
"dateReserved": "2024-08-21T19:11:14.497Z",
"dateUpdated": "2024-09-05T15:47:08.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phases: Architecture and Design, System Configuration
Description:
- Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.
No CAPEC attack patterns related to this CWE.