Title: Longjing Technology BEMS API 1.21 Remote Arbitrary File Download Advisory ID: ZSL-2021-5657 Type: Local/Remote Impact: Exposure of System Information, Exposure of Sensitive Information Risk: (4/5) Release Date: 28.07.2021 Summary Battery Energy Management System. Description The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. Vendor Longjing Technology - Affected Version 1.21 Tested On nginx/1.19.1 Vendor Status N/A PoC Credits Vulnerability discovered by Gjoko Krstic - References 1. 2. 3. 4. 5. 6. Changelog [28.07.2021] - Initial release [30.07.2021] - Added reference [1] and [2] [02.08.2021] - Added reference [3] and [4] [13.11.2025] - Added reference [5] and [6] Contact Zero Science Lab Web: e-mail: lab@zeroscience.mk