Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-25650

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

Published

2023-12-14T07:15:07.783

Last Modified

2025-01-28T15:36:03.663

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-20
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	zte	zxcloud_irai	< 7.23.30	Yes
Application	zte	zxcloud_irai	-	No

References

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 Vendor Advisory ([email protected])
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)