Longjing Technology BEMS API version 1.21 suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks.

You May Also Like

Cryptominer ELFs Using MSR to Boost Mining Process

The Uptycs Threat Research Team recently observed Golang-based worm dropping cryptominer binaries which use…

Symantec Spotted Cyberespionage Campaign Linked to Chinese APT Group Targeting Global MSPs

Malware researchers at Broadcom’s Symantec business have discovered evidence that a long-running…