Kingdee Cloud Galaxy Private Cloud BBC System Path Traversal Vulnerability Allowing Arbitrary File Deletion
Vulnerability
A critical path traversal vulnerability has been identified in Kingdee Cloud Galaxy Private Cloud BBC System versions through 9.0 Patch April 2025. The issue resides in the File Handler component, specifically within the BaseServiceFactory.getFileUploadService.deleteFileAction function of the file fileUpload/deleteFileAction.jhtml. The vulnerability allows for arbitrary file deletion by manipulating the filePath argument, leading to potential loss of important backend files and data.
Impact
Exploitation of this vulnerability allows for arbitrary file deletion on the server, which can result in the loss of critical backend service files and data.
Remediation
Users are advised to apply the available patch and to ensure that the file deletion interface is secured with proper validation and permission controls. Detailed instructions for applying the patch can be found in the Kingdee Cloud Community.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.