Chain Sea Information Integration Co., Ltd ai chatbot system - Path Traversal

Vulnerability

The Chain Sea ai chatbot system (text customer service) contains a path traversal vulnerability in its file download function for logo files. The function fails to properly filter special characters in URL parameters, allowing directory traversal sequences. Affected versions are not explicitly listed; contact vendor for details. [1]

Exploitation

An unauthenticated remote attacker can exploit this by sending a crafted HTTP request to the logo download endpoint with path traversal sequences (e.g., ../) in the URL parameter. No authentication or user interaction is required. [1]

Impact

Successful exploitation allows the attacker to download arbitrary system files from the server, leading to information disclosure of sensitive data. The CVSS score is 7.5 (High) with confidentiality impact High, integrity and availability None. [1]

Mitigation

The vendor (Chain Sea / 程曦資訊整合) has not released a specific fixed version publicly. The recommended mitigation is to contact the vendor for a version update. No workaround is provided. [1]