CVE-2025-0390
Published: 11 January 2025
Description
A vulnerability classified as critical was found in Guangzhou Huayi Intelligent Technology Jeewms up to 20241229. This vulnerability affects unknown code of the file /wmOmNoticeHController.do. The manipulation leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 20250101 is able to address this issue. It is recommended to upgrade the affected component.
Security Summary
CVE-2025-0390 is a critical path traversal vulnerability (CWE-23, CWE-24) in Guangzhou Huayi Intelligent Technology's Jeewms application, affecting versions up to 20241229. The flaw resides in unknown code within the /wmOmNoticeHController.do file, where manipulation using the '../filedir' sequence allows unauthorized file access outside intended directories.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Successful exploitation enables limited disclosure of sensitive files, resulting in low-impact confidentiality loss, with no effects on integrity or availability. The exploit has been publicly disclosed and may be actively used.
Advisories recommend upgrading to Jeewms version 20250101 to remediate the issue. Relevant details are documented in the Gitee issue at https://gitee.com/erzhongxmu/JEEWMS/issues/IBFKBM and VulDB entries at https://vuldb.com/?ctiid.291124 and https://vuldb.com/?id.291124.
Details
- CWE(s)