The software, when opening a file or directory, does not
sufficiently account for when the file is a symbolic link that resolves to a
target outside of the intended control sphere. This could allow an attacker to
cause the software to operate on unauthorized files.
The software receives input from an upstream component, but it
does not neutralize or incorrectly neutralizes special characters that could be
interpreted as web-scripting elements when they are sent to an error