CVE-2016-4314

MEDIUM

WSO2 Carbon 4.4.5 - Authenticated Path Traversal via LogViewer Admin Service LogFile Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4314. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) vulnerability in WSO2 Carbon v4.4.5, allowing authenticated users to read arbitrary files via path traversal in the `downloadArchivedLogFiles` operation. The PoC includes URLs to access sensitive files like `registry.xml` and `master-datasources.xml`.

Description

Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the logFile parameter to downloadgz-ajaxprocessor.jsp.

Exploits (1)

exploitdb WORKING POC VERIFIED

by hyp3rlinx · textwebappsjsp

https://www.exploit-db.com/exploits/40240

View Code ZIP pw:eip

This exploit demonstrates a Local File Inclusion (LFI) vulnerability in WSO2 Carbon v4.4.5, allowing authenticated users to read arbitrary files via path traversal in the `downloadArchivedLogFiles` operation. The PoC includes URLs to access sensitive files like `registry.xml` and `master-datasources.xml`.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WSO2 Carbon v4.4.5

Auth required

Prerequisites: Authenticated access to the WSO2 Carbon admin interface

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/138330/WSO2-Carbon-4.4.5-Local-File-Inclusion.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/92473

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/40240/

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/539200/100/0/threaded

Exploit, Third Party Advisory x_refsource_misc

http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-LOCAL-FILE-INCLUSION.txt

Patch, Vendor Advisory x_refsource_confirm

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098

Scores

CVSS v3 4.9

EPSS 0.1235

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (2)

org.wso2.carbon.commons/org.wso2.carbon.logging.view.ui 0Maven

wso2/carbon 4.4.5

Published Feb 17, 2017

Tracked Since Feb 18, 2026