Title: Longjing Technology BEMS API 1.21 Remote Arbitrary File Download Advisory ID: ZSL-2021-5657 Type: Local/Remote Impact: Exposure of System Information, Exposure of Sensitive Information Risk: (4/5) Release Date: 28.07.2021 Summary Battery Energy Management System. Description The application is affected by an unauthenticated arbitrary file download vulnerability. Input passed through the parameter via the downloads endpoint is not properly validated before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. Vendor Longjing Technology - Affected Version 1.21 Tested On nginx/1.19.1 Vendor Status N/A PoC Credits Vulnerability discovered by Gjoko Krstic - References 1. 2. 3. 4. 5. 6. Changelog [28.07.2021] - Initial release [30.07.2021] - Added reference [1] and [2] [02.08.2021] - Added reference [3] and [4] [13.11.2025] - Added reference [5] and [6] Contact Zero Science Lab Web: e-mail: lab@zeroscience.mk