SYM_CS_0042 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Property | Value |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
User input is combined into file paths using Path.Combine without first sanitizing it with Path.GetFileName. This allows attackers to craft input that accesses files or directories outside the intended location.
Impact
If exploited, an attacker could read from or write to sensitive files on the server by performing path traversal (e.g., using '../'). This can lead to data exposure, overwriting important files, or enabling further attacks against the system.