QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rptsvr/upload endpoint fails to sanitize the filename parameter in multipart form-data requests, enabling path traversal. This allows attackers to place executable files in web-accessible directories, potentially leading to remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-23 UTC.
CVSS
No CVSS.
References
Configurations
No configuration.
History
28 Aug 2025, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rptsvr/upload endpoint fails to sanitize the filename parameter in multipart form-data requests, enabling path traversal. This allows attackers to place executable files in web-accessible directories, potentially leading to remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-23 UTC. |
27 Aug 2025, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-08-27 22:15
Updated : 2025-08-29 16:24
NVD link : CVE-2024-13984
Mitre link : CVE-2024-13984
CVE.ORG link : CVE-2024-13984
JSON object : View
Products Affected
No product.