CVE-2024-13984
CRITICAL EPSS 50.6%
Published Aug 27, 202510mo ago · Modified Jun 17, 20261w ago
10.0 CVSS 4.0
Published Aug 27, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago
Description
QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rptsvr/upload endpoint fails to sanitize the filename parameter in multipart form-data requests, enabling path traversal. This allows attackers to place executable files in web-accessible directories, potentially leading to remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-23 UTC.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
50.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-22 Path Traversal Resource Mgmt
CWE-73
References 4
- blog.csdn.net https://blog.csdn.net/maxiluo/article/details/135865584
- cn-sec.com https://cn-sec.com/archives/2421288.html
- qianxin.com https://www.qianxin.com/product/detail/pid/330
- vulncheck.com https://www.vulncheck.com/advisories/qianxin-tianqing-management-center-arbitrary-file-upload
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.