Original Release Date: September 21, 2023 Vulnerability ID CVE ID: CVE-2023-25650 CNNVD ID: CNNVD-2023-02977275 CVSS 3.1 Base Score 6.5 Medium(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Description There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads. Affected Products and Fixes Product Name | Affected Version | Resolved Version | ZXCLOUD iRAI | All versions up to V7.23.23 | V7.23.30 |
Source ZTE thanks CNVD for paying attention to our products and cooperating with us to disclose vulnerabilities. Update Records September 21, 2023, initial. Version Update Method A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information. Global Customer Support Center http://support.zte.com.cn/support/web/Contact.aspx?_langType=en ZTE PSIRT https://www.zte.com.cn/global/cybersecurity/ztepsirt.html
|