References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-22

CWE-552

https://cxsecurity.com/issue/WLB-2021070173

https://exchange.xforce.ibmcloud.com/vulnerabilities/206477

https://packetstormsecurity.com/files/163702

https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/

https://www.exploit-db.com/exploits/50163

https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php