AjaXplorer vulnerable to directory traversal


AjaXplorer contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.

Daiki Fukumori of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

  • AjaXplorer

This vulnerability was confirmed to exist in version 2.0 by the reporter. Note that other versions may be affected.

An authenticated attacker may view files on the server.

[Use Pydio]
The developer states that the development of AjaXplorer has been discontinued and there are no plans for AjaXplorer to be updated.
Use Pydio, the successor of AjaXplorer.
Vendor Information

CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-5650

  1. JVN : JVN#27462572
  2. National Vulnerability Database (NVD) : CVE-2015-5650
Revision History

  • [2015/10/01]
      Web page was published
      References : Content was added