CVE-2020-37034

HIGH

HelloWeb 2.0 - Path Traversal

Title source: llm

Description

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files.

Exploits (1)

exploitdb WORKING POC

by bRpsd · textwebappsasp

https://www.exploit-db.com/exploits/48659

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48659

[Various Sources] https://web.archive.org/web/20190109182037/https://helloweb.co.kr/

[Third Party Advisory] https://www.vulncheck.com/advisories/helloweb-arbitrary-file-download

Scores

CVSS v3 7.5

EPSS 0.0022

EPSS Percentile 43.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Published Jan 30, 2026

Tracked Since Feb 18, 2026