Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-538 (文件和路径信息暴露) — Vulnerability Class 66

66 vulnerabilities classified as CWE-538 (文件和路径信息暴露). AI Chinese analysis included.

CWE-538 represents a critical data exposure weakness where applications inadvertently store sensitive information in files or directories accessible to unauthorized actors. This vulnerability typically arises when developers fail to enforce strict access controls on storage locations, allowing individuals with basic file system permissions to read confidential data such as credentials, session tokens, or personal identifiable information. Attackers exploit this by navigating to the exposed directory and extracting the unprotected files, often bypassing application-level security measures entirely. To mitigate this risk, developers must implement robust file permission settings, ensuring that sensitive data is stored in restricted directories accessible only to the application process. Additionally, employing encryption for data at rest and utilizing secure, temporary storage mechanisms can prevent unauthorized access, thereby maintaining the confidentiality and integrity of critical information against external threats.

MITRE CWE Description
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Common Consequences (1)
ConfidentialityRead Files or Directories
Mitigations (1)
Architecture and Design, Operation, System ConfigurationDo not expose file and directory information to the user.
Examples (1)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-22773 WordPress Htaccess File Editor <= 1.0.19 - Broken Authentication vulnerability — Htaccess File Editor 5.3 Medium2025-01-15
CVE-2024-6880 CSRF in MegaBIP — MegaBIP 9.1 -2025-01-10
CVE-2025-0194 Insertion of Sensitive Information into Externally-Accessible File or Directory in GitLab — GitLab 6.5 Medium2025-01-08
CVE-2025-22306 WordPress Link Whisper Free plugin <= 0.7.7 - Sensitive Data Exposure vulnerability — Link Whisper Free 5.3 Medium2025-01-07
CVE-2024-47580 Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services) — SAP NetWeaver AS for JAVA (Adobe Document Services) 6.8 Medium2024-12-10
CVE-2024-47579 Multiple vulnerabilities in SAP NetWeaver AS for JAVA(Adobe Document Services) — SAP NetWeaver AS for JAVA (Adobe Document Services) 6.8 Medium2024-12-10
CVE-2022-43933 configuration secrets are logged in support-save — SANnav 4.4 Medium2024-11-21
CVE-2023-7062 Advanced File Manager Shortcodes <= 2.4 - Authenticated (Contributor+) Directory Traversal — Advanced File Manager Shortcodes 8.8 High2024-07-10
CVE-2023-5937 Sensitive data exfiltration via unsafe permissions on Windows systems in Arc before v1.6.0 — Arc 3.8 Low2024-05-15
CVE-2024-22045 Siemens SINEMA Remote Connect 安全漏洞 — SINEMA Remote Connect Client 7.6 High2024-03-12
CVE-2024-22433 Dell Data Protection Search 安全漏洞 — Data Protection Search 8.8 High2024-02-01
CVE-2024-0191 RRJ Nueva Ecija Engineer Online Portal file information disclosure — Nueva Ecija Engineer Online Portal 5.3 Medium2024-01-02
CVE-2023-4595 Insertion of Sensitive Information into Externally-Accessible File or Directory in BVRP Software SLmail — SLmail 7.5 High2023-11-23
CVE-2023-46723 lte-pic32-writer's sendto.txt may disclose URL and the API key — lte-pic32-writer 8.9 High2023-10-31
CVE-2022-4318 Cri-o: /etc/passwd tampering privesc — Red Hat OpenShift Container Platform 4.11 7.8 High2023-09-25
CVE-2023-38558 Siemens SIMATIC 安全漏洞 — SIMATIC PCS neo (Administration Console) V4.0 5.5 Medium2023-09-14
CVE-2023-4480 Arbitrary File Read in Fusion File Manager — PHPFusion 5.5 Medium2023-09-05
CVE-2023-28444 angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend — angular-server-side-configuration 9.9 Critical2023-03-24
CVE-2022-26329 File existence disclosue vulnerability in IDM plugin — NetIQ Identity Manager 1.8 Low2023-01-24
CVE-2022-44623 JetBrains TeamCity 安全漏洞 — TeamCity 6.5 Medium2022-11-03
CVE-2022-20864 Cisco IOS XE ROM Monitor Software for Catalyst Switches Information Disclosure Vulnerability — Cisco IOS XE Software 4.6 Medium2022-10-10
CVE-2021-40363 Siemens SIMATIC PCS 7和SIMATIC WinCC 授权问题漏洞 — SIMATIC PCS 7 V8.2 7.8 -2022-02-09
CVE-2022-0013 Cortex XDR Agent: File Information Exposure Vulnerability When Generating Support File — Cortex XDR Agent 5.0 Medium2022-01-12
CVE-2021-3709 Apport file permission bypass through emacs byte compilation errors — apport 6.5 Medium2021-10-01
CVE-2021-32822 File disclosure in hbs — hbs 4.0 Medium2021-08-16
CVE-2021-1406 Cisco Unified Communications Manager Information Disclosure Vulnerability — Cisco Unified Communications Manager 4.9 Medium2021-04-08
CVE-2021-21250 Post-Auth External Entity Expansion (XXE) — onedev 7.7 High2021-01-15
CVE-2019-15793 Mishandling of file-system uid/gid with namespaces in shiftfs — Shiftfs in the Linux kernel 6.5 Medium2020-04-23
CVE-2019-6851 多款Schneider产品信息泄露漏洞 — Modicon M580, Modicon M340, Modicon Premium , Modicon Quantum (all firmware versions) 7.5 -2019-10-29
CVE-2019-7618 Elastic Code 路径遍历漏洞 — Elastic Code 5.5 -2019-10-01

Vulnerabilities classified as CWE-538 (文件和路径信息暴露) represent 66 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.