A path traversal vulnerability exists in the file-handling logic, where obfuscated directory traversal patterns (e.g., encoded characters, mixed separators, nested traversal sequences) are not properly sanitized.
This allows an attacker to access files outside the intended directory scope.

Vulnerability Name	Vulnerable URL	CVE/CWE	CVSS Score	Overall Risk (Severity)	Observation / Description	Impact	Recommendation	Reference	Steps to reproduce
https://uatamrit.piramalswasthya.org/flw-api/	Path Traversal via Obfuscated Directory Bypass	CWE-27	8.3	High	it was observed that the application’s API endpoint fails to properly sanitize and validate directory traversal patterns. When accessing the endpoint example.com/api/, the server returned an error, indicating improper input handling. Further testing using an obfuscated traversal sequence (example.com/api/.. resulted in the server bypassing the restricted API path and loading the main index page.	Unauthorized Access: Attackers may access restricted directories or internal application paths.   Information Disclosure: Sensitive files, configuration data, or unintended endpoints may become accessible.   Application Flow Bypass: The traversal may expose main pages or backend logic hidden behind API routes.   Potential for Chained Exploits: If combined with other vulnerabilities, this may lead to code execution or deeper compromise.   Reconnaissance: Attackers can map application structure and identify additional weaknesses.	Sanitize and validate paths: Block traversal patterns such as ../, ..;, %2e%2e, and all encoded variations. Canonicalize Paths: Normalize all input paths before processing to ensure they remain within allowed directories. Implement Allowlist Routing: Allow only explicitly defined endpoints; deny all other arbitrary paths. Harden Web Server Configuration: Apply Nginx/Apache rules to restrict traversal sequences. Disable fallback behavior that returns index pages for malformed paths. Apply WAF Rules: Enable rulesets (e.g., OWASP Core Rule Set) to block traversal attempts.	https://cwe.mitre.org/data/definitions/27.html	Step 1: During the security assessment, we visited the API endpoint https://uatamrit.piramalswasthya.org/flw-api/ to analyze its behavior. Step 2: Upon accessing this endpoint, the server responded with a writable error or an unexpected error message, indicating improper handling of the request. Step 3: To test for path traversal or directory bypass techniques, we modified the URL and accessed: https://uatamrit.piramalswasthya.org/flw-api/..;/ Step 4: After sending this modified request, the server unexpectedly processed it and redirected/returned the main index page of the website instead of restricting access.