Primary

Context

YiJiuSmile kkFileViewOfficeEdit Path Traversal Vulnerability in Download Function

Vulnerability

A critical path traversal vulnerability has been identified in YiJiuSmile kkFileViewOfficeEdit versions prior to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. The issue arises in the 'Download' function of the '/download' file, where manipulation of the 'url' argument allows for unauthorized arbitrary file reading. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for arbitrary file reading on the server where the application is hosted.

Reproduction

To reproduce this vulnerability, send a request to the '/download' endpoint with a 'url' parameter that specifies the absolute path of the file to be read. The application will return the contents of the specified file, bypassing normal directory restrictions.

Added: Jul 14, 2025, 5:53 PM

Updated: Jul 14, 2025, 5:53 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

YiJiuSmile kkFileViewOfficeEdit Path Traversal Vulnerability in Download Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating