CVE-2024-13984 in TianQing Management Center
Summary
by MITRE • 08/28/2025
QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rptsvr/upload endpoint fails to sanitize the filename parameter in multipart form-data requests, enabling path traversal. This allows attackers to place executable files in web-accessible directories, potentially leading to remote code execution.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/28/2025
The vulnerability identified as CVE-2024-13984 affects QiAnXin TianQing Management Center versions 6.7.0.4130 and earlier, representing a critical path traversal flaw within the rptsvr component. This security weakness stems from insufficient input validation in the file upload functionality, specifically within the /rptsvr/upload endpoint that processes multipart form-data requests. The vulnerability manifests when the system fails to properly sanitize the filename parameter, creating an opportunity for attackers to manipulate file paths during upload operations.
The technical exploitation of this vulnerability relies on the absence of proper path validation mechanisms that should normally prevent directory traversal sequences such as ../ or ..\ in file names. Attackers can craft malicious requests that include these traversal sequences in the filename parameter, allowing them to write files to arbitrary locations on the target server filesystem. This flaw directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal. The vulnerability's classification aligns with ATT&CK technique T1190, which covers exploiting vulnerabilities in software to gain unauthorized access to systems.
The operational impact of this vulnerability is severe and potentially catastrophic for affected organizations. Unauthenticated attackers can leverage this weakness to upload malicious files to web-accessible directories, effectively bypassing normal access controls and authentication mechanisms. Once uploaded, these files can be executed by the web server, potentially leading to full system compromise through remote code execution. The vulnerability creates a persistent backdoor that attackers can use to maintain access, escalate privileges, or establish further footholds within the network infrastructure. Organizations using affected versions face significant risk of data breaches, system infiltration, and potential lateral movement attacks.
Mitigation strategies for CVE-2024-13984 should prioritize immediate patching of affected systems to the latest available versions of QiAnXin TianQing Management Center. Organizations should implement network segmentation and access controls to limit exposure of the affected component to untrusted networks. Input validation should be strengthened at the application level by implementing strict filename sanitization that removes or encodes potentially dangerous characters. Web server configurations should be reviewed to ensure that uploaded files cannot be executed directly, and proper file type restrictions should be enforced. Network monitoring should be enhanced to detect anomalous file upload patterns and unusual network traffic originating from the affected system. Additionally, organizations should conduct comprehensive vulnerability assessments to identify any potential exploitation attempts and implement intrusion detection systems to alert on suspicious activities related to file upload operations.