CVE-2021-4463

high

Description

Longjing Technology BEMS API versions up to and including 1.21 contains an unauthenticated arbitrary file download vulnerability in the 'downloads' endpoint. The 'fileName' parameter is not properly sanitized, allowing attackers to craft traversal sequences and access sensitive files outside the intended directory.

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php

https://www.vulncheck.com/advisories/longjing-technology-bems-api-remote-arbitrary-file-download

https://www.exploit-db.com/exploits/50163

https://web.archive.org/web/20220527162453/http://www.ljkj2012.com/

https://packetstormsecurity.com/files/163702

https://exchange.xforce.ibmcloud.com/vulnerabilities/206477

https://cxsecurity.com/issue/WLB-2021070173

Details

Source: Mitre, NVD

Published: 2025-11-12

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.0007