CVE-2025-11336

Vulnerability

Overview

A path traversal vulnerability exists in the /stAlarmConfigure/index.do/../../aloneReport/download.do endpoint of the Four-Faith Water Conservancy Informatization Platform (versions up to 2.2). The application fails to properly validate the fileName parameter, allowing directory traversal sequences such as ../ to be processed. This flaw enables an attacker to read arbitrary files on the server, including configuration files and sensitive data.

Exploitation

The attack can be performed remotely without authentication. An attacker simply sends a crafted GET request to the vulnerable endpoint with a fileName parameter containing path traversal sequences. For example, requesting fileName=../WEB-INF/classes/web.properties allows retrieval of the application's configuration file. The vulnerability has been publicly disclosed with a proof-of-concept exploit, increasing the risk of widespread exploitation.

Impact

Successful exploitation grants an attacker the ability to read any file on the server to which the web application has access. This includes sensitive configuration files, credentials, source code, and other proprietary data. The impact is particularly severe as it can lead to further compromise of the system and data exposure.

Mitigation

The vendor (Four-Faith Communication Technology Co., Ltd.) was contacted but did not respond. No official patch or security update has been released. As a temporary measure, administrators should implement strict input validation and file access controls, or consider disabling the vulnerable endpoint until a fix is available [1].