Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-24 (路径遍历:’../filedir’) — Vulnerability Class 91

91 vulnerabilities classified as CWE-24 (路径遍历:’../filedir’). AI Chinese analysis included.

CWE-24 represents a critical input validation weakness where software fails to properly sanitize user-supplied data before constructing file paths. Attackers typically exploit this vulnerability by injecting directory traversal sequences, such as "../", into input fields to manipulate the resulting pathname. This manipulation allows the application to resolve paths outside the intended restricted directory, enabling unauthorized access to sensitive system files, configuration data, or source code. To mitigate this risk, developers must implement robust input validation strategies that strictly whitelist allowed characters and reject any path components containing traversal sequences. Additionally, employing canonicalization techniques to normalize paths before validation ensures that encoded or double-encoded attacks are detected. Restricting file system access through chroot jails or containerization further limits the potential impact of successful exploitation, ensuring that even if validation fails, the attacker cannot escape the designated secure boundary.

MITRE CWE Description
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory. The "../" manipulation is the canonical manipulation for operating systems that use "/" as directory separators, such as UNIX- and Linux-based systems. In some cases, it is useful for bypassing protection schemes in environments for which "/" is supported but not the primary separator, such as Windows, which uses "\" but can also accept "/".
Common Consequences (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2025-1588 PHPGurukul Online Nurse Hiring System manage-nurse.php path traversal — Online Nurse Hiring System 6.5 Medium2025-02-23
CVE-2025-1584 opensolon Solon StaticMappings.java path traversal — Solon 4.3 Medium2025-02-23
CVE-2025-1086 Safetytest Cloud-Master Server static path traversal — Cloud-Master Server 5.3 Medium2025-02-07
CVE-2025-0390 Guangzhou Huayi Intelligent Technology Jeewms wmOmNoticeHController.do path traversal — Jeewms 5.3 Medium2025-01-11
CVE-2024-13130 Dahua IPC-HFW1200S Web Interface Sha1Account1 path traversal — IPC-HFW1200S 4.3 Medium2025-01-05
CVE-2024-12897 Intelbras VIP S4320 G2 Web Interface Sha1Account1 path traversal — VIP S3020 G2 4.3 Medium2024-12-22
CVE-2024-12482 cjbi wetech-cms Database Backup BackupFileUtil.java backup path traversal — wetech-cms 4.3 Medium2024-12-11
CVE-2022-20656 Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager Path Traversal Vulnerability — Cisco Evolved Programmable Network Manager (EPNM) 6.5 Medium2024-11-15
CVE-2024-10379 ESAFENET CDG DecryptApplicationService.java actionViewDecyptFile path traversal — CDG 4.3 Medium2024-10-25
CVE-2024-6786 MXview One Series vulnerable to Path Traversal — MXview One Series 6.5 Medium2024-09-21
CVE-2024-8409 ABCD ABCD2 show_image.php path traversal — ABCD2 4.3 Medium2024-09-04
CVE-2024-6746 NaiboWang EasySpider HTTP GET Request server.js path traversal — EasySpider 4.3 Medium2024-07-15
CVE-2024-4790 DedeCMS path traversal — DedeCMS 4.3 Medium2024-05-11
CVE-2024-3686 DedeCMS update_guide.php path traversal — DedeCMS 4.3 Medium2024-04-12
CVE-2024-3227 Panwei eoffice OA Backend save_image.php path traversal — eoffice OA 4.7 Medium2024-04-03
CVE-2024-3218 Shibang Communications IP Network Intercom Broadcasting System busyscreenshotpush.php path traversal — IP Network Intercom Broadcasting System 5.4 Medium2024-04-02
CVE-2024-2825 lakernote EasyAdmin saveReportFile path traversal — EasyAdmin 6.3 Medium2024-03-22
CVE-2024-2564 PandaXGO PandaX user.go ExportUser path traversal — PandaX 6.3 Medium2024-03-17
CVE-2024-2563 PandaXGO PandaX upload.go DeleteImage path traversal — PandaX 5.4 Medium2024-03-17
CVE-2024-2318 ZKTeco ZKBio Media Service Port 9999 download path traversal — ZKBio Media 4.3 Medium2024-03-08
CVE-2024-1459 Undertow: directory traversal vulnerability 5.3 Medium2024-02-12
CVE-2024-0989 Sichuan Yougou Technology KuERP Service.php del_sn_db path traversal — KuERP 5.4 Medium2024-01-29
CVE-2024-0882 qwdigital LinkWechat Universal Download Interface resource path traversal — LinkWechat 4.3 Medium2024-01-25
CVE-2023-52076 Remote Code Execution Vulnerability in Atril's EPUB ebook parsing — atril 8.5 High2024-01-25
CVE-2024-0465 code-projects Employee Profile Management System download.php path traversal — Employee Profile Management System 3.5 Low2024-01-12
CVE-2024-0417 DeShang DSShop MemberAuth.php path traversal — DSShop 5.4 Medium2024-01-11
CVE-2024-0416 DeShang DSMall MemberAuth.php path traversal — DSMall 5.4 Medium2024-01-11
CVE-2023-6699 WP Compress – Image Optimizer [All-In-One] <= 6.10.33 - Unauthenticated Directory Traversal via css — WP Compress – Instant Performance & Speed Optimization 9.1 Critical2024-01-11
CVE-2024-0354 unknown-o download-station index.php path traversal — download-station 5.3 Medium2024-01-09
CVE-2024-0341 Inis GET Request File.php path traversal — Inis 3.5 Low2024-01-09

Vulnerabilities classified as CWE-24 (路径遍历:’../filedir’) represent 91 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.