Primary

Context

GoldPanKit Eva-Server Arbitrary File Download Vulnerability

Vulnerability

An arbitrary file download vulnerability has been identified in GoldPanKit Eva-Server version 4.1.0. The issue arises in the '/api/resource/local/download' endpoint, where the 'path' parameter can be manipulated to download arbitrary files from the server.

Impact

Exploitation of this vulnerability allows for arbitrary file download, potentially leading to exposure of sensitive information.

Reproduction

To reproduce this vulnerability, log into the application and access the '/api/resource/local/download' endpoint. Include a crafted 'path' parameter that traverses directories, such as '../../../../etc/passwd', to download the targeted file.

Remediation

Ensure that the 'path' parameter is validated to prevent directory traversal attacks.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GoldPanKit Eva-Server Arbitrary File Download Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating