Tsinghua Unigroup Archives System Allows Remote File Access

Summary

A security flaw in the Tsinghua Unigroup Archives System lets hackers access and download sensitive files on your system from anywhere. This is a serious issue because it allows attackers to access and potentially steal confidential data. We recommend that you update your system to the latest version as soon as possible to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
unigroup	electronic_archives_system	<= 3.2.210802\(62532\)	–

Original title

A security flaw has been discovered in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is the function Download of the file /Search/Subject/downLoad. ...

Original description

A security flaw has been discovered in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is the function Download of the file /Search/Subject/downLoad. Performing a manipulation of the argument path results in path traversal. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

nvd CVSS2.0 4.0

nvd CVSS3.1 5.3

nvd CVSS4.0 5.3

Vulnerability type

CWE-22 Path Traversal

https://github.com/luoye197-prog/cve-ziguang-fileread/blob/main/introduce Broken Link
https://github.com/luoye197-prog/cve-ziguang-fileread/blob/main/poc.py Broken Link
https://vuldb.com/?ctiid.346468 Permissions Required VDB Entry
https://vuldb.com/?id.346468 Third Party Advisory VDB Entry
https://vuldb.com/?submit.753295 Third Party Advisory VDB Entry
https://vuldb.com/?submit.753383 Third Party Advisory VDB Entry