CVE-2024-13991
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-11-03

Assigner: VulnCheck

Description
Huijietong Cloud Video Platform contains a path traversal vulnerability that allows an unauthenticated attacker can supply arbitrary file paths to the `fullPath` parameter of the `/fileDownload?action=downloadBackupFile` endpoint and retrieve files from the server filesystem. VulnCheck has observed this vulnerability being exploited in the wild.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-15
NVD
CVE-2024-13991
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
huijietong cloud_video_platform 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-13991 is a path traversal vulnerability in the Huijietong Cloud Video Platform. It allows an unauthenticated attacker to manipulate the 'fullPath' parameter in the '/fileDownload?action=downloadBackupFile' endpoint to supply arbitrary file paths. This enables the attacker to read any file on the server's filesystem without authentication or user interaction. [1, 2]

Impact Analysis

This vulnerability can allow attackers to read sensitive files on the server, such as configuration files and stored account credentials. This exposure can lead to further attacks, data breaches, and compromise of the server and its data. [1, 2]

Detection Guidance

Detection can be performed by searching for access attempts to the vulnerable endpoint `/fileDownload?action=downloadBackupFile` with the `fullPath` parameter being manipulated. Tools like Fofa, Hunter, and Quake can be used to identify affected systems by searching for specific API paths. For example, searching for requests containing `/fileDownload?action=downloadBackupFile` or monitoring web server logs for suspicious requests to this endpoint can help detect exploitation attempts. Additionally, attempting to access sensitive files such as `/etc/passwd` via the vulnerable parameter can confirm the presence of the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include implementing temporary blacklist rules for the vulnerable interface in the Web Application Firewall (WAF) to block exploitation attempts. It is also recommended to contact the vendor for patches or upgrade to a fixed version of the Huijietong Cloud Video Platform once available. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-13991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart