CVE-2023-25650

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zte:zxcloud_irai_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zte:zxcloud_irai:-:*:*:*:*:*:*:*

History

19 Dec 2023, 19:24

Type Values Removed Values Added
CPE cpe:2.3:o:zte:zxcloud_irai_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zte:zxcloud_irai:-:*:*:*:*:*:*:*
References () https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 - () https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
CWE NVD-CWE-noinfo

14 Dec 2023, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-14 07:15

Updated : 2024-02-05 00:22


NVD link : CVE-2023-25650

Mitre link : CVE-2023-25650

CVE.ORG link : CVE-2023-25650


JSON object : View

Products Affected

zte

  • zxcloud_irai
  • zxcloud_irai_firmware
CWE
NVD-CWE-noinfo CWE-20

Improper Input Validation