SYM_RB_0069 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
External Control of File Name or Path
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-73: External Control of File Name or Path |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
Passing user-controlled input directly to the send_file method can let attackers request and download sensitive files from your server. Always validate or sanitize user input before using it with file-serving functions.
Impact
If exploited, an attacker could access files outside the intended directory, such as configuration files or application secrets, leading to data breaches or compromise of the entire server. This can expose sensitive information and put the application and its users at risk.