{"id":"CVE-2018-18434","details":"An issue was discovered in litemall 0.9.0. Arbitrary file download is possible via ../ directory traversal in linlinjava/litemall/wx/web/WxStorageController.java in the litemall-wx-api component.","modified":"2026-04-11T11:39:40.986190Z","published":"2018-10-17T06:29:00.637Z","references":[{"type":"ADVISORY","url":"https://github.com/linlinjava/litemall/issues/76"},{"type":"FIX","url":"https://github.com/linlinjava/litemall/commit/49ab94d0052672d4fb642505d44b94a18abea332"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/linlinjava/litemall","events":[{"introduced":"0"},{"last_affected":"76568b304da6dc9a5eb3290f27b73fe6b99f4684"},{"fixed":"49ab94d0052672d4fb642505d44b94a18abea332"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.9.0"}]}}],"versions":["v0.1.0","v0.2.0","v0.3.0","v0.4.0","v0.5.0","v0.6.0","v0.7.0","v0.8.0","v0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-18434.json","vanir_signatures":[{"source":"https://github.com/linlinjava/litemall/commit/49ab94d0052672d4fb642505d44b94a18abea332","id":"CVE-2018-18434-1a0522a5","signature_version":"v1","deprecated":false,"digest":{"length":523,"function_hash":"96696369334610697743408769115790146277"},"signature_type":"Function","target":{"file":"litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/web/WxStorageController.java","function":"download"}},{"source":"https://github.com/linlinjava/litemall/commit/49ab94d0052672d4fb642505d44b94a18abea332","id":"CVE-2018-18434-8edbfcd8","signature_version":"v1","deprecated":false,"digest":{"length":418,"function_hash":"132900878510239747528676688137397217800"},"signature_type":"Function","target":{"file":"litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/web/WxStorageController.java","function":"fetch"}},{"source":"https://github.com/linlinjava/litemall/commit/49ab94d0052672d4fb642505d44b94a18abea332","id":"CVE-2018-18434-d4c1ddb1","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["61156782022435078365736256290978580660","150529089046009252282262868661007395271","216128168918769434751914760151925976629","298501460194646143563491339352291144462","275268899948578981886649810119026351895","210542490001809390165621182183818271848","130612534208309019081421269457475556251","113316971842657389825178937665474399592","162294934809481003654137574868485171720","302301535898693361968315070138888813095","304736416107486914007798968273995350263","150529089046009252282262868661007395271","216128168918769434751914760151925976629","298501460194646143563491339352291144462","275268899948578981886649810119026351895","210542490001809390165621182183818271848","130612534208309019081421269457475556251","113316971842657389825178937665474399592","187198733614269955402973279316509229044","156726085061399067872233506971015297061"]},"signature_type":"Line","target":{"file":"litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/web/WxStorageController.java"}}],"vanir_signatures_modified":"2026-04-11T11:39:40Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}