CVE-2012-4680

IOServer <1.0.19.0 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4680. PoCs published by hinge.

AI-analyzed exploit summary This is a detailed security advisory describing a directory traversal vulnerability in IOServer's web server component, allowing arbitrary file access and directory listing when the 'Root Directory' lacks a trailing backslash. The advisory includes proof-of-concept steps using wget to exploit the vulnerability.

Description

Directory traversal vulnerability in the XML Server in IOServer before 1.0.19.0, when the Root Directory pathname lacks a trailing \ (backslash) character, allows remote attackers to read arbitrary files or list arbitrary directories via a .. (dot dot) in a URI.

Exploits (1)

exploitdb WRITEUP
by hinge · textwebappswindows
https://www.exploit-db.com/exploits/20677

This is a detailed security advisory describing a directory traversal vulnerability in IOServer's web server component, allowing arbitrary file access and directory listing when the 'Root Directory' lacks a trailing backslash. The advisory includes proof-of-concept steps using wget to exploit the vulnerability.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: IOServer 1.0.18.0 (and earlier)
No auth needed
Prerequisites: IOServer with XML Server feature enabled · Root Directory configuration without trailing backslash · Network access to the web server port (default: 81)
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Various Sources x_refsource_misc
http://www.foofus.net/?page_id=616
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50297

Scores

EPSS 0.0275
EPSS Percentile 84.4%

Details

CWE
CWE-22
Status published
Products (1)
ioserver/ioserver 1.0.18.0
Published Aug 27, 2012
Tracked Since Feb 18, 2026