CVE-2018-25408: The Open ISES Project 3.30A Path Traversal Arbitrary File Download
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename parameter to access files outside the intended directory, including configuration files and system files.
Security readout for executives and security teams
Open ISES Project 3.30A can expose files that should stay private. An unauthenticated attacker may abuse the download function to read files outside its intended folder, potentially including configuration or system files. The provided sources do not identify a vendor patch or active exploitation. Exposure is limited to organizations running Open ISES Project 3.30A, especially where the application or its download endpoint is reachable from untrusted networks. The bundle provides no CPEs, deployment prevalence, or hosted-service evidence. Treat this as a high-priority confidentiality risk if Open ISES Project 3.30A is deployed. It may expose sensitive files without credentials, but urgency depends on whether the product exists in your environment and is externally reachable. Mitigation focus: Check vendor and project guidance for any fixed release or official workaround.; Remove public access to Open ISES Project 3.30A where not required.; Restrict access to the download endpoint using authentication and network controls..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-22: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
0ADP providers
4Source links
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.