There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.
References
Link | Resource |
---|---|
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: zte
Published: 2023-12-14T06:52:23.199Z
Updated: 2023-12-14T08:17:02.352Z
Reserved: 2023-02-09T19:47:48.023Z
Link: CVE-2023-25650
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-14T07:15:07.783
Modified: 2023-12-19T19:24:52.120
Link: CVE-2023-25650
JSON object: View
Redhat Information
No data.
CWE