CVE-2023-25650

Published: Dec 14, 2023Modified: Jan 28, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

Affected (1)

Products: Zte: Zxcloud Irai

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Zte Zxcloud Irai	Before 7.23.30

Running on/with	Platform Versions
Zte Zxcloud Irai	All versions

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904

Source: psirt@zte.com.cn

Vendor Advisory

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.