Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kingdee Cloud-Starry-Sky Enterprise Edition IIS-K3CloudMiniApp FileUploadAction.class path traversal
Vulnerability Description
A security vulnerability has been detected in Kingdee Cloud-Starry-Sky Enterprise Edition up to 8.2. This issue affects the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file K3Cloud\BBCMallSite\WEB-INF\lib\Kingdee.K3.O2O.Base.WebApp.jar!\kingdee\k3\o2o\base\webapp\action\FileUploadAction.class of the component IIS-K3CloudMiniApp. The manipulation of the argument filePath leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. It is suggested to install a patch to address this issue. The vendor recommends as a short-term measure to "[t]emporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control." The long-term remediation will be: "Install the security patch provided by the Starry Sky system, with the specific solutions being: i) Adding authentication to the vulnerable CMKAppWebHandler.ashx interface; ii) Removing the file reading function."
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Kingdee Cloud-Starry-Sky Enterprise Edition 路径遍历漏洞
Vulnerability Description
Kingdee Cloud-Starry-Sky Enterprise Edition是中国金蝶(Kingdee)公司的一个面向成长型企业的数字化转型解决方案。 Kingdee Cloud-Starry-Sky Enterprise Edition 8.2及之前版本存在路径遍历漏洞,该漏洞源于对参数filePath的错误操作导致路径遍历。
CVSS Information
N/A
Vulnerability Type
N/A