CVE-2025-8516 Information

Aug 05, 2025 cve

Description

A vulnerability was found in Kingdee Cloud-Starry-Sky Enterprise Edition up to 8.2. It has been classified as problematic. Affected is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file K3Cloud\BBCMallSite\WEB-INF\lib\Kingdee.K3.O2O.Base.WebApp.jar!\kingdee\k3\o2o\base\webapp\action\FileUploadAction.class of the component IIS-K3CloudMiniApp. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor recommends as a short-term measure to [t]emporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control.\ The long-term remediation will be: \Install the security patch provided by the Starry Sky system with the specific solutions being: i) Adding authentication to the vulnerable CMKAppWebHandler.ashx interface; ii) Removing the file reading function.\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

https://vuldb.com/?ctiid.318642 https://vuldb.com/?id.318642 https://vuldb.com/?submit.573678 https://wx.mail.qq.com/s?k=hk3Fixc6Z1cKMI9rge

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3

CNNVD-202508-224 (Published: 2025-08-04)

Share on: