CVE-2025-3381

Published: Apr 7, 2025Modified: Oct 10, 2025

5.3

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: CNA (Secondary)

Description

A vulnerability, which was classified as critical, was found in zhangyanbo2007 youkefu 4.2.0. This affects an unknown part of the file WebIMController.java of the component File Upload. The manipulation of the argument ID leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Affected (1)

Products: Zhangyanbo2007: Youkefu

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zhangyanbo2007 Youkefu	Version 4.2.0

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (5)

https://github.com/mapl3miss/uckefuVul/blob/main/uckefu-upload.md

Source: cna@vuldb.com

ExploitThird Party Advisory

https://vuldb.com/?ctiid.303627

Source: cna@vuldb.com

Permissions RequiredVDB Entry

https://vuldb.com/?id.303627

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://vuldb.com/?submit.552369

Source: cna@vuldb.com

Third Party AdvisoryVDB Entry

https://github.com/mapl3miss/uckefuVul/blob/main/uckefu-upload.md

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitThird Party Advisory

Timeline

No history available yet.