| tiêu đề | erjinzhi soft 10 OA V1.0 File Path Traversal |
|---|
| Mô tả | During the security review of "10OA",I discovered a critical file path traversal (directory traversal) vulnerability exists in the file.aspx endpoint under the /view/ directory of the 10OA system hosted at https://www.10oa.com. The vulnerability arises from insufficient validation and sanitization of the file query parameter. Attackers can exploit this flaw by submitting maliciously crafted file parameter values containing ../ (dot-dot-slash) sequences to traverse outside the intended file directory and access sensitive system files on the server.
In this case, the vulnerability was successfully exploited to read the Windows system configuration file C:\windows\win.ini—a clear indication that the server does not restrict access to critical system paths. This flaw allows unauthorized access to sensitive files (e.g., configuration files, credentials, log data) and may lead to further server compromise if combined with other vulnerabilities.
|
|---|
| Nguồn | ⚠️ https://github.com/1276486/CVE/issues/8 |
|---|
| Người dùng | Zre0x1c (UID 89206) |
|---|
| Đệ trình | 28/08/2025 09:49 (cách đây 8 các tháng) |
|---|
| Kiểm duyệt | 11/09/2025 17:11 (14 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 323643 [erjinzhi 10OA 1.0 /view/file.aspx Tệp tin duyệt thư mục] |
|---|
| điểm | 20 |
|---|