CVE-2025-11034
Description
A vulnerability was found in Dibo Data Decision Making System up to 2.7.0. The affected element is the function downloadImpTemplet of the file /common/dep/common_dep.action.jsp. The manipulation of the argument filePath results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dibo Data Decision Making System up to 2.7.0 contains a path traversal vulnerability in the downloadImpTemplet function, allowing remote attackers to read arbitrary files.
Vulnerability
Analysis
The vulnerability resides in the downloadImpTemplet function within /common/dep/common_dep.action.jsp. The function accepts a filePath parameter and uses it to construct a file path via request.getServletContext().getRealPath(filePath) without proper sanitization. This allows an attacker to supply a path traversal sequence (e.g., ../) to escape the intended directory and access arbitrary files on the server [1].
Exploitation
An unauthenticated attacker can exploit this by sending a crafted HTTP request to the vulnerable endpoint with a malicious filePath parameter. The attack is remotely exploitable and does not require any special privileges. The exploit has been publicly disclosed, increasing the risk of widespread use [1].
Impact
Successful exploitation allows an attacker to read sensitive files from the server, such as configuration files, source code, or credentials. This can lead to further compromise of the system and data exposure.
Mitigation
The vendor has not released a patch as of the publication date. Users should apply input validation on the filePath parameter or restrict access to the vulnerable endpoint until an official fix is available.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.