CVE-2024-13991 | THREATINT

Description

Huijietong Cloud Video Platform contains a path traversal vulnerability that allows an unauthenticated attacker can supply arbitrary file paths to the `fullPath` parameter of the `/fileDownload?action=downloadBackupFile` endpoint and retrieve files from the server filesystem. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign.

PUBLISHED Reserved 2025-10-14 | Published 2025-10-15 | Updated 2025-10-15 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status

unaffected

affected

Credits

CN-SEC finder

References

cn-sec.com/archives/2941393.html technical-description exploit

www.vulncheck.com/...atform-filedownload-arbitrary-file-read third-party-advisory

cve.org (CVE-2024-13991)

nvd.nist.gov (CVE-2024-13991)

Download JSON