Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code uses untrusted user input from request parameters to specify the file path in a render call. This allows attackers to control which local files are rendered and potentially exposed.
Impact#
An attacker could exploit this to read sensitive files from the server, such as application configuration, credentials, or other private data. This can lead to data breaches and compromise of system security.