Lucene search

[email protected]CVE-2023-25650

HistoryDec 14, 2023 - 7:15 a.m.

CVE-2023-25650

2023-12-1407:15:07

CWE-20

[email protected]

web.nvd.nist.gov

cve-2023-25650

arbitrary file download

zxcloud irai

vulnerability

information security

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.1%

JSON

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

Affected configurations

NVD

Node

ztezxcloud_irai_firmwareRange<7.23.30

AND

ztezxcloud_iraiMatch-

CPENameOperatorVersion
zte:zxcloud_irai_firmwarezte zxcloud irai firmwarelt7.23.30

CPE	Name	Operator	Version
zte:zxcloud_irai_firmware	zte zxcloud irai firmware	lt	7.23.30

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "ZXCLOUD iRAI",
    "vendor": "ZTE",
    "versions": [
      {
        "lessThanOrEqual": "V7.23.23",
        "status": "affected",
        "version": "All versions up to V7.23.23",
        "versionType": "V7.23.23"
      }
    ]
  }
]

References

support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.1%

JSON

Related for CVE-2023-25650

cvelist1 nvd1 prion1