Search criteria
2 vulnerabilities found for Cloud Galaxy Private Cloud BBC System by Kingdee
CVE-2025-5029 (GCVE-0-2025-5029)
Vulnerability from cvelistv5 – Published: 2025-05-21 14:31 – Updated: 2025-05-21 14:40
VLAI?
Title
Kingdee Cloud Galaxy Private Cloud BBC System File deleteFileAction.jhtml path traversal
Summary
A vulnerability has been found in Kingdee Cloud Galaxy Private Cloud BBC System up to 9.0 Patch April 2025 and classified as critical. Affected by this vulnerability is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file fileUpload/deleteFileAction.jhtml of the component File Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.
Severity ?
5.4 (Medium)
5.4 (Medium)
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kingdee | Cloud Galaxy Private Cloud BBC System |
Affected:
9.0 Patch April 2025
|
Credits
caichaoxiong (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T14:37:42.787741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T14:40:03.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Handler"
],
"product": "Cloud Galaxy Private Cloud BBC System",
"vendor": "Kingdee",
"versions": [
{
"status": "affected",
"version": "9.0 Patch April 2025"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Kingdee Cloud Galaxy Private Cloud BBC System up to 9.0 Patch April 2025 and classified as critical. Affected by this vulnerability is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file fileUpload/deleteFileAction.jhtml of the component File Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "In Kingdee Cloud Galaxy Private Cloud BBC System bis 9.0 Patch April 2025 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion BaseServiceFactory.getFileUploadService.deleteFileAction der Datei fileUpload/deleteFileAction.jhtml der Komponente File Handler. Durch Beeinflussen des Arguments filePath mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T14:31:09.477Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-309847 | Kingdee Cloud Galaxy Private Cloud BBC System File deleteFileAction.jhtml path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.309847"
},
{
"name": "VDB-309847 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.309847"
},
{
"name": "Submit #570956 | Kingdee Cloud-Starry-Sky Enterprise Edition V8.2 Arbitrary File Deletion Vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.570956"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=nFbp0U0gSX0QVechIO"
},
{
"tags": [
"related"
],
"url": "https://vip.kingdee.com/knowledge/708656434111770368"
},
{
"tags": [
"patch"
],
"url": "https://vip.kingdee.com/school/detail/713028702245944320?productLineId=1\u0026lang=zh-CN"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-09T00:00:00.000Z",
"value": "Countermeasure disclosed"
},
{
"lang": "en",
"time": "2025-05-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-21T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-21T12:56:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Kingdee Cloud Galaxy Private Cloud BBC System File deleteFileAction.jhtml path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5029",
"datePublished": "2025-05-21T14:31:09.477Z",
"dateReserved": "2025-05-21T10:04:46.963Z",
"dateUpdated": "2025-05-21T14:40:03.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5029 (GCVE-0-2025-5029)
Vulnerability from nvd – Published: 2025-05-21 14:31 – Updated: 2025-05-21 14:40
VLAI?
Title
Kingdee Cloud Galaxy Private Cloud BBC System File deleteFileAction.jhtml path traversal
Summary
A vulnerability has been found in Kingdee Cloud Galaxy Private Cloud BBC System up to 9.0 Patch April 2025 and classified as critical. Affected by this vulnerability is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file fileUpload/deleteFileAction.jhtml of the component File Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.
Severity ?
5.4 (Medium)
5.4 (Medium)
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kingdee | Cloud Galaxy Private Cloud BBC System |
Affected:
9.0 Patch April 2025
|
Credits
caichaoxiong (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T14:37:42.787741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T14:40:03.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Handler"
],
"product": "Cloud Galaxy Private Cloud BBC System",
"vendor": "Kingdee",
"versions": [
{
"status": "affected",
"version": "9.0 Patch April 2025"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in Kingdee Cloud Galaxy Private Cloud BBC System up to 9.0 Patch April 2025 and classified as critical. Affected by this vulnerability is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file fileUpload/deleteFileAction.jhtml of the component File Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "In Kingdee Cloud Galaxy Private Cloud BBC System bis 9.0 Patch April 2025 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion BaseServiceFactory.getFileUploadService.deleteFileAction der Datei fileUpload/deleteFileAction.jhtml der Komponente File Handler. Durch Beeinflussen des Arguments filePath mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.5,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T14:31:09.477Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-309847 | Kingdee Cloud Galaxy Private Cloud BBC System File deleteFileAction.jhtml path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.309847"
},
{
"name": "VDB-309847 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.309847"
},
{
"name": "Submit #570956 | Kingdee Cloud-Starry-Sky Enterprise Edition V8.2 Arbitrary File Deletion Vulnerability",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.570956"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=nFbp0U0gSX0QVechIO"
},
{
"tags": [
"related"
],
"url": "https://vip.kingdee.com/knowledge/708656434111770368"
},
{
"tags": [
"patch"
],
"url": "https://vip.kingdee.com/school/detail/713028702245944320?productLineId=1\u0026lang=zh-CN"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-09T00:00:00.000Z",
"value": "Countermeasure disclosed"
},
{
"lang": "en",
"time": "2025-05-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-21T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-21T12:56:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Kingdee Cloud Galaxy Private Cloud BBC System File deleteFileAction.jhtml path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5029",
"datePublished": "2025-05-21T14:31:09.477Z",
"dateReserved": "2025-05-21T10:04:46.963Z",
"dateUpdated": "2025-05-21T14:40:03.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}