ZendTo存在路径遍历漏洞(CVE-2025-34508),影响6.15-7及以下版本。攻击者可绕过安全控制,访问或修改用户敏感信息。可移动任意文件至dropoff目录,泄露内容或导致服务中断。建议升级至6.15-8或更高版本。 2025-6-18 15:57:50 Author: horizon3.ai(查看原文) 阅读量:16 收藏
ZendTo Path Traversal Vulnerability
CVE-2025-34508 is a path traversal vulnerability discovered by Horizon3.ai in ZendTo, a web-based file transfer application. This critical vulnerability affects ZendTo versions 6.15-7 and prior. It allows remote attackers to bypass security controls, enabling them to access or modify sensitive information of other users.
Exploitation allows an attacker to specify arbitrary files, moving them from any accessible location to a newly created dropoff directory. This action reveals the contents of the moved files. For instance, an attacker could move the zendto.log file to gain access to dropoff claimIDs, potentially leading to access to other user-uploaded content. Moving critical files, such as the ZendTo database, could also result in a denial of service
Impact
Successful exploitation of this vulnerability can lead to:
- Unauthorized access to sensitive user information.
- Modification of sensitive data.
- Potential denial of service by moving critical system files.
- Full control over the affected system if critical files like the database are manipulated.
Mitigations
- It is strongly recommended to reference the vendor advisory and upgrade ZendTo immediately to the patched version 6.15-8 or later.
Rapid Response N-Day Testing
Read about other CVEs
NodeZero® Platform
Implement a continuous find, fix, and verify loop with NodeZero
The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Recognized By
如有侵权请联系:admin#unsafe.sh