CVEbaza.plSłownik CWECWE-530
Common Weakness Enumeration

CWE-530

Exposure of Backup File to an Unauthorized Control Sphere

Kategoria: VariantCVE: 12
Opis

Plik kopii zapasowej jest przechowywany w katalogu lub archiwum, które są dostępne dla niezautoryzowanych użytkowników. Brak właściwej kontroli dostępu umożliwia osobom nieuprawnionym dostęp do wrażliwych danych zawartych w kopii zapasowej.

Description (EN)

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

Podatności CVE z CWE-530 (12)
8.7
CVSS
HIGH
CVE-2020-36899

QiHang Media Web Digital Signage 3.0.9 contains an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive files through unverified 'filename' and 'path' parameters. Attackers can exploit the QH.aspx endpoint to read arbitrary files and directory contents without authentication by manipulating download and getAll actions.

pub. 2025-12-10
7.5
CVSS
HIGH
CVE-2024-12330

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including all information stored in the database.

pub. 2025-01-09
7.2
CVSS
HIGH
CVE-2024-56462

IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating system.

pub. 2026-05-27
3.7
CVSS
LOW
CVE-2023-5297

A vulnerability was found in Xinhu RockOA 2.3.2. It has been classified as problematic. This affects the function start of the file task.php?m=sys|runt&a=beifen. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-240927.

pub. 2023-09-29
2.4
CVSS
LOW
CVE-2024-3430

A vulnerability was found in QKSMS up to 3.9.4 on Android. It has been classified as problematic. This affects an unknown part of the file androidmanifest.xml of the component Backup File Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259611. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

pub. 2024-04-07
2.4
CVSS
LOW
CVE-2024-3124

A vulnerability classified as problematic has been found in fridgecow smartalarm 1.8.1 on Android. This affects an unknown part of the file androidmanifest.xml of the component Backup File Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258867.

pub. 2024-04-01
2.4
CVSS
LOW
CVE-2024-3128

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, has been found in Replify-Messenger 1.0 on Android. This issue affects some unknown processing of the file androidmanifest.xml of the component Backup File Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier VDB-258869 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: The vendor was contacted early and responded very quickly. He does not intend to maintain the app anymore and will revoke the availability in the Google Play Store.

pub. 2024-04-01
1.8
CVSS
LOW
CVE-2024-2567

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, was found in jurecapuder AndroidWeatherApp 1.0.0 on Android. Affected is an unknown function of the file androidmanifest.xml of the component Backup File Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. VDB-257070 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: The code maintainer was contacted early about this disclosure but did not respond in any way. Instead the GitHub repository got deleted after a few days. We have to assume that the product is not supported anymore.

pub. 2024-03-17
1.8
CVSS
LOW
CVE-2024-2364

A vulnerability classified as problematic has been found in Musicshelf 1.0/1.1 on Android. Affected is an unknown function of the file androidmanifest.xml of the component Backup Handler. The manipulation leads to exposure of backup file to an unauthorized control sphere. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-256320.

pub. 2024-03-10
1.1
CVSS
LOW
CVE-2026-2974

W aplikacji AliasVault do wersji 0.25.3 na Android/iOS zidentyfikowana została luka w zabezpieczeniach dotycząca obsługi backupu pliku shared_prefs/aliasvault.xml. Manipulacja parametrami accessToken/refreshToken/metadata/key_derivation_params/auth_methods prowadzi do ujawnienia pliku backupu dla nieuprawnionych podmiotów — atak wymaga dostępu lokalnego i charakteryzuje się wysoką złożonością. Zalecane jest zaktualizowanie aplikacji do wersji 0.26.0 zawierającej patch, choć producent zaznacza, że ze względu na zero-knowledge encryption design tokeny API w pliku nie mogą samodzielnie odszyfrować magazynu — wymagane jest hasło główne.

pub. 2026-02-23
0.9
CVSS
LOW
CVE-2026-13514

A weakness has been identified in Chess Play and Learn App up to 4.9.42 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. Upgrading the affected component is advised. The vendor was informed early about this issue. They confirmed the existence and that they will address it. Furthermore, they explain that their bug bounty "explicitly excludes physical-access attacks". However, they appreciate the quality of the report and aim at making a goodwill payment to the researcher.

pub. 2026-06-29
CVSS
NONE
CVE-2025-3773

A sensitive information exposure vulnerability in System Information Reporter (SIR) 1.0.3 and prior allows an authenticated non-admin local user to extract sensitive information stored in a registry backup folder.

pub. 2025-06-26
Informacje
ID: CWE-530
Typ: Variant
Podatności: 12
MITRE CWE ↗
← Słownik CWE
CWE-530 — Ujawnienie pliku kopii zapasowej w niezautoryzowanej sferze kontroli | Słownik CWE | CVEbaza.pl