Arbitrary File Download Vulnerability in ZTE ZXCLOUD iRAI
CVE-2023-25650

6.5MEDIUM

Key Information:

Vendor: ZTE
Status: ZXCLOUD iRAI
Vendor: CVE Published:; 14 December 2023

What is CVE-2023-25650?

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

Affected Version(s)

ZXCLOUD iRAI Windows All versions up to V7.23.23

References

https://support.zte.com.cn/support/news/LoopholeInfoDetai...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 14, 2023
Vulnerability Reserved
Feb 9, 2023

JSON