CVE-2018-25408
7.5 HIGHThe Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attacke...
Published: 2026-05-30 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-22
Description
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename parameter to access files outside the intended directory, including configuration files and system files.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2018-25408
- [Other]http://openises.sourceforge.net/
- [Other]https://sourceforge.net/projects/openises/files/latest/download
- [Other]https://www.exploit-db.com/exploits/45655
- [Other]https://www.vulncheck.com/advisories/the-open-ises-project-3-30a-path-traversal-arbitrary-file-download
Related CVEs
Same CWE
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)
- CVE-2026-40769 — Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field <= 1... (8.6 HIGH)
- CVE-2026-40727 — Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions (7.7 HIGH)