Description
A vulnerability classified as critical was found in risesoft-y9 Digital-Infrastructure up to 9.6.7. Affected by this vulnerability is the function deleteFile of the file /Digital-Infrastructure-9.6.7/y9-digitalbase-webapp/y9-module-filemanager/risenet-y9boot-webapp-filemanager/src/main/java/net/risesoft/y9public/controller/Y9FileController.java. The manipulation of the argument fullPath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
In risesoft-y9 Digital-Infrastructure bis 9.6.7 wurde eine kritische Schwachstelle entdeckt. Hierbei betrifft es die Funktion deleteFile der Datei /Digital-Infrastructure-9.6.7/y9-digitalbase-webapp/y9-module-filemanager/risenet-y9boot-webapp-filemanager/src/main/java/net/risesoft/y9public/controller/Y9FileController.java. Dank Manipulation des Arguments fullPath mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
Problem types
Product status
9.6.1
9.6.2
9.6.3
9.6.4
9.6.5
9.6.6
9.6.7
Timeline
| 2025-07-05: | Advisory disclosed |
| 2025-07-05: | VulDB entry created |
| 2025-07-05: | VulDB entry last update |
Credits
ShenxiuSecurity (VulDB User)
References
vuldb.com/?id.315019 (VDB-315019 | risesoft-y9 Digital-Infrastructure Y9FileController.java deleteFile path traversal)
vuldb.com/?ctiid.315019 (VDB-315019 | CTI Indicators (IOB, IOC, TTP, IOA))
vuldb.com/?submit.601825 (Submit #601825 | risesoft-y9 Digital-Infrastructure v9.6.7 Path Traversal)
github.com/...xiuSec/cve-proofs/blob/main/POC-20250621-01.md