...
This vulnerability exists when an application accepts direct ogject object reference to a specific filename as an input parabeter parameter and then servers that file to the user. A malicious attacker can then traverse through arbitrary directories on the server to view files which would not normally be accessible, including sensitive files such as /etc/password.
...