Arbitrary File Download Vulnerability in ZTE ZXCLOUD iRAI

Original Release Date: September 21, 2023

 

Vulnerability ID

CVE ID: CVE-2023-25650                 CNNVD ID: CNNVD-2023-02977275

 

CVSS 3.1 Base Score

6.5 MediumAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

 

Description

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

 

Affected Products and Fixes

Product Name

Affected Version

Resolved Version

ZXCLOUD iRAI

All versions up to V7.23.23

V7.23.30

 

Source

ZTE thanks CNVD for paying attention to our products and cooperating with us to disclose vulnerabilities.

 

Update Records

September 21, 2023, initial.

 

 Version Update Method

A device that supports automatic update can receive a pop-up update message. You can upgrade the device accordingly. If no update message is received, contact your service provider to obtain the update information.

 

Global Customer Support Center

http://support.zte.com.cn/support/web/Contact.aspx?_langType=en

 

ZTE PSIRT

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html

[Close]