CVE-2021-4463
Longjing Technology BEMS API <= 1.21 Remote Arbitrary File Download
Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
Shenzhen Longjing Technology Co. Ltd. · BEMS API¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://cxsecurity.com/issue/WLB-2021070173https://exchange.xforce.ibmcloud.com/vulnerabilities/206477https://packetstormsecurity.com/files/163702https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/https://www.exploit-db.com/exploits/50163https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-downloadhttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php