CVE-2020-37034
Arbitrary File Download in HelloWeb 2.0 via Directory Traversal
Publication date: 2026-01-30
Last updated on: 2026-01-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | helloweb | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
HelloWeb 2.0 has an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating the filepath and filename parameters. Attackers can send specially crafted GET requests to the download.asp page using directory traversal techniques to access sensitive configuration and system files.
How can this vulnerability impact me? :
This vulnerability can allow attackers to access and download sensitive system and configuration files, potentially exposing confidential information or system details. This could lead to further attacks or unauthorized access to the system.