Primary

Context

Aaluoxiang OA System Path Traversal Vulnerability in UserpanelController

Vulnerability

A path traversal vulnerability has been identified in the Aaluoxiang OA System, specifically in versions prior to the commit 5b445a6227b51cee287bd0c7c33ed94b801a82a5. The issue resides in the UserpanelController.java file, within the 'image' function. This vulnerability allows remote attackers to read arbitrary files on the server by exploiting the API route 'image/**', potentially leading to unauthorized disclosure of sensitive information.

Impact

Exploitation of this vulnerability allows for arbitrary file read, which could result in the leakage of sensitive information from the server.

Reproduction

To reproduce this vulnerability, deploy the Aaluoxiang OA System project and log in to obtain a valid 'JSESSIONID' cookie. Then, send a GET request to the 'image' endpoint, including a path traversal payload that uses '../' to navigate to a sensitive file, such as 'passwd.txt'.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.1

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.1

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Aaluoxiang OA System Path Traversal Vulnerability in UserpanelController

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating