Refine your search
2 vulnerabilities found for BEMS API by Shenzhen Longjing Technology Co. Ltd.
CVE-2021-4463 (GCVE-0-2021-4463)
Vulnerability from nvd
Published
2025-11-12 22:07
Modified
2025-11-13 17:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Shenzhen Longjing Technology Co. Ltd. | BEMS API |
Version: 0 ≤ 1.21 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T17:05:01.698452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T17:05:15.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEMS API",
"vendor": "Shenzhen Longjing Technology Co. Ltd.",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gjoko Krstic of Zero Science Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the \u0027downloads\u0027 endpoint. The \u0027fileName\u0027 parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory."
}
],
"value": "Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the \u0027downloads\u0027 endpoint. The \u0027fileName\u0027 parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T22:07:30.512Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50163"
},
{
"tags": [
"exploit"
],
"url": "https://packetstormsecurity.com/files/163702"
},
{
"tags": [
"exploit"
],
"url": "https://cxsecurity.com/issue/WLB-2021070173"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206477"
},
{
"tags": [
"product"
],
"url": "https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-07-27T16:00:00.000Z",
"value": "ZSL-2021-5657 is publicly disclosed."
}
],
"title": "Longjing Technology BEMS API \u003c= 1.21 Remote Arbitrary File Download",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-4463",
"datePublished": "2025-11-12T22:07:30.512Z",
"dateReserved": "2025-11-12T20:55:39.039Z",
"dateUpdated": "2025-11-13T17:05:15.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-4463 (GCVE-0-2021-4463)
Vulnerability from cvelistv5
Published
2025-11-12 22:07
Modified
2025-11-13 17:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Shenzhen Longjing Technology Co. Ltd. | BEMS API |
Version: 0 ≤ 1.21 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T17:05:01.698452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T17:05:15.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BEMS API",
"vendor": "Shenzhen Longjing Technology Co. Ltd.",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gjoko Krstic of Zero Science Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the \u0027downloads\u0027 endpoint. The \u0027fileName\u0027 parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory."
}
],
"value": "Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the \u0027downloads\u0027 endpoint. The \u0027fileName\u0027 parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T22:07:30.512Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50163"
},
{
"tags": [
"exploit"
],
"url": "https://packetstormsecurity.com/files/163702"
},
{
"tags": [
"exploit"
],
"url": "https://cxsecurity.com/issue/WLB-2021070173"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206477"
},
{
"tags": [
"product"
],
"url": "https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-07-27T16:00:00.000Z",
"value": "ZSL-2021-5657 is publicly disclosed."
}
],
"title": "Longjing Technology BEMS API \u003c= 1.21 Remote Arbitrary File Download",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-4463",
"datePublished": "2025-11-12T22:07:30.512Z",
"dateReserved": "2025-11-12T20:55:39.039Z",
"dateUpdated": "2025-11-13T17:05:15.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}