CVE-2021-4463

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

CVSS

No CVSS.

References

Link	Resource
https://cxsecurity.com/issue/WLB-2021070173
https://exchange.xforce.ibmcloud.com/vulnerabilities/206477
https://packetstormsecurity.com/files/163702
https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/
https://www.exploit-db.com/exploits/50163
https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php

Configurations

No configuration.

History

12 Nov 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-12 22:15

Updated : 2025-11-14 16:42

NVD link : CVE-2021-4463

Mitre link : CVE-2021-4463

CVE.ORG link : CVE-2021-4463

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-552

Files or Directories Accessible to External Parties

{"id": "CVE-2021-4463", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-12T22:15:41.863", "references": [{"url": "https://cxsecurity.com/issue/WLB-2021070173", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/206477", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/163702", "source": "[email protected]"}, {"url": "https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50163", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-552"}]}], "descriptions": [{"lang": "en", "value": "Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory."}], "lastModified": "2025-11-14T16:42:30.503", "sourceIdentifier": "[email protected]"}