Vulnerabilites related to ZhongBangKeJi - CRMEB
CVE-2024-6943 (GCVE-0-2024-6943)
Vulnerability from cvelistv5
Published
2024-07-21 07:00
Modified
2024-08-01 21:45
Severity ?
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization
Summary
A vulnerability has been found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this vulnerability is the function downloadImage of the file app/services/product/product/CopyTaobaoServices.php. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272065 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.272065 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.272065 | signature, permissions-required | |
| https://vuldb.com/?submit.374394 | third-party-advisory | |
| https://gist.github.com/J1rrY-learn/e15a1926a3b5a2b8805a15cb95eff1d7 | broken-link, exploit |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ZhongBangKeJi | CRMEB |
Version: 5.0 Version: 5.1 Version: 5.2 Version: 5.3 Version: 5.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T19:01:41.695941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T19:01:51.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-272065 | ZhongBangKeJi CRMEB CopyTaobaoServices.php downloadImage deserialization",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.272065"
},
{
"name": "VDB-272065 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.272065"
},
{
"name": "Submit #374394 | Xi\u0027an Zhongbang Network Technology Co. CRMEB open source mall system \u003c=5.4.0 phar Deserialization/RCE",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vuldb.com/?submit.374394"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://gist.github.com/J1rrY-learn/e15a1926a3b5a2b8805a15cb95eff1d7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CRMEB",
"vendor": "ZhongBangKeJi",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"status": "affected",
"version": "5.1"
},
{
"status": "affected",
"version": "5.2"
},
{
"status": "affected",
"version": "5.3"
},
{
"status": "affected",
"version": "5.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "J1rrY (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this vulnerability is the function downloadImage of the file app/services/product/product/CopyTaobaoServices.php. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272065 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In ZhongBangKeJi CRMEB bis 5.4.0 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Es geht um die Funktion downloadImage der Datei app/services/product/product/CopyTaobaoServices.php. Mit der Manipulation mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-21T07:00:06.788Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-272065 | ZhongBangKeJi CRMEB CopyTaobaoServices.php downloadImage deserialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.272065"
},
{
"name": "VDB-272065 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.272065"
},
{
"name": "Submit #374394 | Xi\u0027an Zhongbang Network Technology Co. CRMEB open source mall system \u003c=5.4.0 phar Deserialization/RCE",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.374394"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://gist.github.com/J1rrY-learn/e15a1926a3b5a2b8805a15cb95eff1d7"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-07-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-07-20T12:04:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhongBangKeJi CRMEB CopyTaobaoServices.php downloadImage deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6943",
"datePublished": "2024-07-21T07:00:06.788Z",
"dateReserved": "2024-07-20T09:59:21.867Z",
"dateUpdated": "2024-08-01T21:45:38.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6944 (GCVE-0-2024-6944)
Vulnerability from cvelistv5
Published
2024-07-21 07:31
Modified
2024-08-01 21:45
Severity ?
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization
Summary
A vulnerability was found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this issue is the function get_image_base64 of the file PublicController.php. The manipulation of the argument file leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-272066 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.272066 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.272066 | signature, permissions-required | |
| https://vuldb.com/?submit.374413 | third-party-advisory | |
| https://gist.github.com/J1rrY-learn/93a0cf71894570f4eb39344161beb44c | broken-link, exploit |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ZhongBangKeJi | CRMEB |
Version: 5.0 Version: 5.1 Version: 5.2 Version: 5.3 Version: 5.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T15:50:36.955403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T15:50:49.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-272066 | ZhongBangKeJi CRMEB PublicController.php get_image_base64 deserialization",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.272066"
},
{
"name": "VDB-272066 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.272066"
},
{
"name": "Submit #374413 | Xi\u0027an Zhongbang Network Technology Co. CRMEB open source mall system \u003c=5.4.0 Arbitrary file reading",
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://vuldb.com/?submit.374413"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://gist.github.com/J1rrY-learn/93a0cf71894570f4eb39344161beb44c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CRMEB",
"vendor": "ZhongBangKeJi",
"versions": [
{
"status": "affected",
"version": "5.0"
},
{
"status": "affected",
"version": "5.1"
},
{
"status": "affected",
"version": "5.2"
},
{
"status": "affected",
"version": "5.3"
},
{
"status": "affected",
"version": "5.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "J1rrY (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in ZhongBangKeJi CRMEB up to 5.4.0 and classified as critical. Affected by this issue is the function get_image_base64 of the file PublicController.php. The manipulation of the argument file leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-272066 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in ZhongBangKeJi CRMEB bis 5.4.0 gefunden. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion get_image_base64 der Datei PublicController.php. Durch die Manipulation des Arguments file mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-21T07:31:04.139Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-272066 | ZhongBangKeJi CRMEB PublicController.php get_image_base64 deserialization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.272066"
},
{
"name": "VDB-272066 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.272066"
},
{
"name": "Submit #374413 | Xi\u0027an Zhongbang Network Technology Co. CRMEB open source mall system \u003c=5.4.0 Arbitrary file reading",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.374413"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://gist.github.com/J1rrY-learn/93a0cf71894570f4eb39344161beb44c"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-07-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-07-20T12:04:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhongBangKeJi CRMEB PublicController.php get_image_base64 deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-6944",
"datePublished": "2024-07-21T07:31:04.139Z",
"dateReserved": "2024-07-20T09:59:27.747Z",
"dateUpdated": "2024-08-01T21:45:38.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1704 (GCVE-0-2024-1704)
Vulnerability from cvelistv5
Published
2024-02-21 17:31
Modified
2024-08-01 18:48
Severity ?
5.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.5 (Medium) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Path Traversal
Summary
A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been declared as critical. This vulnerability affects the function save/delete of the file /adminapi/system/crud. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254392. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.254392 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.254392 | signature, permissions-required | |
| https://github.com/Echosssy/CVE/blob/main/%E4%BC%97%E9%82%A6%E7%A7%91%E6%8A%80CRMEB%20Mall%20business%20edition%20overrides%20any%20file.docx | exploit |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ZhongBangKeJi | CRMEB |
Version: 5.2.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T18:03:47.262705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:57.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.812Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-254392 | ZhongBangKeJi CRMEB crud delete path traversal",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.254392"
},
{
"name": "VDB-254392 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.254392"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/Echosssy/CVE/blob/main/%E4%BC%97%E9%82%A6%E7%A7%91%E6%8A%80CRMEB%20Mall%20business%20edition%20overrides%20any%20file.docx"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "CRMEB",
"vendor": "ZhongBangKeJi",
"versions": [
{
"status": "affected",
"version": "5.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ting (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "Ting (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been declared as critical. This vulnerability affects the function save/delete of the file /adminapi/system/crud. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254392. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In ZhongBangKeJi CRMEB 5.2.2 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion save/delete der Datei /adminapi/system/crud. Mittels Manipulieren mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.2,
"vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T17:31:04.410Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-254392 | ZhongBangKeJi CRMEB crud delete path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.254392"
},
{
"name": "VDB-254392 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.254392"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Echosssy/CVE/blob/main/%E4%BC%97%E9%82%A6%E7%A7%91%E6%8A%80CRMEB%20Mall%20business%20edition%20overrides%20any%20file.docx"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-21T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-21T11:42:08.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhongBangKeJi CRMEB crud delete path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-1704",
"datePublished": "2024-02-21T17:31:04.410Z",
"dateReserved": "2024-02-21T10:36:56.621Z",
"dateUpdated": "2024-08-01T18:48:21.812Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1703 (GCVE-0-2024-1703)
Vulnerability from cvelistv5
Published
2024-02-21 17:00
Modified
2024-08-27 14:29
Severity ?
3.5 (Low) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.5 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
VLAI Severity ?
EPSS score ?
CWE
- CWE-36 - Absolute Path Traversal
Summary
A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254391. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.254391 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.254391 | signature, permissions-required | |
| https://github.com/Echosssy/-CRMEB-Mall-commercial-version-of-any-file-read-vulnerability/blob/main/README.md | exploit |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ZhongBangKeJi | CRMEB |
Version: 5.2.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-254391 | ZhongBangKeJi CRMEB openfile absolute path traversal",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.254391"
},
{
"name": "VDB-254391 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.254391"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://github.com/Echosssy/-CRMEB-Mall-commercial-version-of-any-file-read-vulnerability/blob/main/README.md"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:crmeb:crmeb:5.2.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "crmeb",
"vendor": "crmeb",
"versions": [
{
"status": "affected",
"version": "5.2.2"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1703",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T18:15:55.981309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T14:29:52.020Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CRMEB",
"vendor": "ZhongBangKeJi",
"versions": [
{
"status": "affected",
"version": "5.2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ting (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in ZhongBangKeJi CRMEB 5.2.2. It has been classified as problematic. This affects the function openfile of the file /adminapi/system/file/openfile. The manipulation leads to absolute path traversal. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254391. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in ZhongBangKeJi CRMEB 5.2.2 ausgemacht. Sie wurde als problematisch eingestuft. Hiervon betroffen ist die Funktion openfile der Datei /adminapi/system/file/openfile. Mittels dem Manipulieren mit unbekannten Daten kann eine absolute path traversal-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.7,
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36 Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T17:00:09.614Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-254391 | ZhongBangKeJi CRMEB openfile absolute path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.254391"
},
{
"name": "VDB-254391 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.254391"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Echosssy/-CRMEB-Mall-commercial-version-of-any-file-read-vulnerability/blob/main/README.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-21T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-21T11:42:06.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhongBangKeJi CRMEB openfile absolute path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-1703",
"datePublished": "2024-02-21T17:00:09.614Z",
"dateReserved": "2024-02-21T10:36:53.450Z",
"dateUpdated": "2024-08-27T14:29:52.020Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}