CVE-2021-4463

N/A Unknown
Published: November 12, 2025 Modified: November 14, 2025
View on NVD

Description

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://cxsecurity.com/issue/WLB-2021070173
Source: disclosure@vulncheck.com
https://exchange.xforce.ibmcloud.com/vulnerabilities/206477
Source: disclosure@vulncheck.com
https://packetstormsecurity.com/files/163702
Source: disclosure@vulncheck.com
https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/
Source: disclosure@vulncheck.com
https://www.exploit-db.com/exploits/50163
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download
Source: disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
Source: disclosure@vulncheck.com

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.1%
34th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-22 CWE-552

Related CVEs

CVE-2026-0824 3.5
CVE-2026-0822 6.3
CVE-2025-13393 4.3
CVE-2025-12379 6.4
CVE-2026-0821 7.3