CVE-2023-25650

MEDIUM

ZXCLOUD iRAI < 7.23.30 - Authenticated Arbitrary File Download via Request Parameter

Title source: llm

Description

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads.

References (1)

Core 1

Core References

Vendor Advisory

https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032904

Scores

CVSS v3 6.5

EPSS 0.0026

EPSS Percentile 49.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-20

Status published

Products (1)

zte/zxcloud_irai < 7.23.30

Published Dec 14, 2023

Tracked Since Feb 18, 2026