exploitDog

CVE-2023-25650

Опубликовано: 14 дек. 2023

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

Ссылки

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904
Vendor Advisory
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:zte:zxcloud_irai:*:*:*:*:*:*:*:*

Версия до 7.23.30 (исключая)

cpe:2.3:a:zte:zxcloud_irai:-:*:*:*:*:*:*:*

EPSS

Процентиль: 49%

0.0026

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-20

NVD-CWE-noinfo

Связанные уязвимости

GHSA-pg7f-8r86-68j5

CVSS3: 6.5

github

около 2 лет назад

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

EPSS

Процентиль: 49%

0.0026

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-20

NVD-CWE-noinfo