There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.
References
Link | Resource |
---|---|
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 | Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
19 Dec 2023, 19:24
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:zte:zxcloud_irai_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zte:zxcloud_irai:-:*:*:*:*:*:*:* |
|
References | () https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CWE | NVD-CWE-noinfo |
14 Dec 2023, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-14 07:15
Updated : 2024-02-05 00:22
NVD link : CVE-2023-25650
Mitre link : CVE-2023-25650
CVE.ORG link : CVE-2023-25650
JSON object : View
Products Affected
zte
- zxcloud_irai
- zxcloud_irai_firmware
CWE