CVE-2025-5545
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-04

Last updated on: 2025-06-09

Assigner: VulDB

Description
A vulnerability classified as problematic has been found in aaluoxiang oa_system up to 5b445a6227b51cee287bd0c7c33ed94b801a82a5. This affects the function image of the file src/main/java/cn/gson/oasys/controller/process/ProcedureController.java. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-04
Last Modified
2025-06-09
Generated
2026-05-07
AI Q&A
2025-06-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-5545
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aaluoxiang oa_system *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a path traversal flaw in the aaluoxiang oa_system, specifically in the 'image' function of the ProcedureController.java file. It allows an attacker to manipulate file paths to access files outside the intended directory, enabling them to read arbitrary files on the server remotely. This can expose sensitive information stored on the server. [1, 2]


How can this vulnerability impact me? :

The vulnerability can impact you by allowing attackers to read sensitive files on your server without authorization. This unauthorized file access can lead to exposure of confidential information, potentially compromising your system's confidentiality and security. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for requests to the vulnerable API endpoint that include path traversal patterns, such as '../' sequences in the 'show/**' route. Network or web server logs can be inspected for suspicious URL patterns attempting to access arbitrary files. Since a proof-of-concept exploit is publicly available, testing with crafted requests targeting the 'show/**' route to see if unauthorized file access is possible can help detect the vulnerability. Specific commands would depend on your environment, but using tools like curl or wget to send requests with path traversal payloads to the 'show/**' endpoint can be effective. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable API endpoint, implementing input validation or sanitization to prevent path traversal characters in requests, and monitoring for exploitation attempts. Since no known countermeasures or patches are currently identified, replacing the affected component with an alternative product is suggested. Additionally, applying network-level controls such as firewall rules to limit access to the vulnerable service and disabling the vulnerable functionality if possible can reduce risk. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart