Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-530 (将备份文件暴露给非授权控制范围) — Vulnerability Class 10

10 vulnerabilities classified as CWE-530 (将备份文件暴露给非授权控制范围). AI Chinese analysis included.

CWE-530 represents a critical information exposure weakness where sensitive backup files are inadvertently stored in directories accessible to unauthorized actors. Attackers typically exploit this vulnerability by probing web servers for common backup extensions, such as .bak, .old, or .~bk, to retrieve outdated source code or configuration data. These files often contain hardcoded credentials, database connection strings, or proprietary logic that was previously discarded but remains accessible in the webroot. To mitigate this risk, developers must implement strict access controls and ensure that backup files are stored outside the public document root. Additionally, automated deployment pipelines should be configured to automatically purge or securely archive backup files after successful updates, preventing them from lingering in accessible locations where they can be harvested by malicious actors seeking initial footholds.

MITRE CWE Description
A backup file is stored in a directory or archive that is made accessible to unauthorized actors. Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.
Common Consequences (1)
ConfidentialityRead Application Data
At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.
Mitigations (1)
PolicyRecommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.
CVE IDTitleCVSSSeverityPublished
CVE-2026-2974 AliasVault App Backup aliasvault.xml backup — AliasVault App 2.5 Low2026-02-23
CVE-2020-36899 QiHang Media Web Digital Signage 3.0.9 Unauthenticated Arbitrary File Disclosure — QiHang Media Web Digital Signage 7.5AIHighAI2025-12-10
CVE-2025-3773 Trellix System Information Reporter 安全漏洞 — System Information Reporter 5.5AIMediumAI2025-06-26
CVE-2024-12330 WP Database Backup – Unlimited Database & Files Backup by Backup for WP <= 7.3 - Unauthenticated Database Back-Up Exposure — WP Database Backup – Unlimited Database & Files Backup by Backup for WP 7.5 High2025-01-09
CVE-2024-3430 QKSMS Backup File androidmanifest.xml backup — QKSMS 2.4 Low2024-04-07
CVE-2024-3128 Replify-Messenger Backup File androidmanifest.xml backup — Replify-Messenger 2.4 Low2024-04-01
CVE-2024-3124 fridgecow smartalarm Backup File androidmanifest.xml backup — smartalarm 2.4 Low2024-04-01
CVE-2024-2567 jurecapuder AndroidWeatherApp Backup File androidmanifest.xml backup — AndroidWeatherApp 1.8 Low2024-03-17
CVE-2024-2364 Musicshelf Backup androidmanifest.xml backup — Musicshelf 1.8 Low2024-03-10
CVE-2023-5297 Xinhu RockOA start backup — RockOA 3.7 Low2023-09-29

Vulnerabilities classified as CWE-530 (将备份文件暴露给非授权控制范围) represent 10 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.