CVE-2019-6500

HIGH

Axway File Transfer Direct 2.7.1 - Unauthenticated Path Traversal via %2e Encoding Bypass

Title source: llm

Description

In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/inf0seq/inf0seq.github.io/blob/master/_posts/2019-01-20-Directory-Traversal-in-Axway-File-Transfer-Direct.md

View Exploit ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://inf0seq.github.io/cve/2019/01/20/Directory-Traversal-in-Axway-File-Transfer-Direct.html

Scores

CVSS v3 7.5

EPSS 0.0408

EPSS Percentile 89.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (1)

axway/file_tranfer_direct 2.7.1

Published Jan 21, 2019

Tracked Since Feb 18, 2026