Name of the Vulnerable Software and Affected Versions:

Kingdee Cloud-Starry-Sky Enterprise Edition versions prior to 8.2

Description:

A path traversal issue exists in the `BaseServiceFactory.getFileUploadService.deleteFileAction` function within the `K3CloudBBCMallSiteWEB-INFlibKingdee.K3.O2O.Base.WebApp.jar!kingdeek3o2obasewebappactionFileUploadAction.class` file of the `IIS-K3CloudMiniApp` component. The manipulation of the `filePath` argument can lead to path traversal, allowing for remote exploitation. The exploit has been publicly disclosed.

Recommendations:

Kingdee Cloud-Starry-Sky Enterprise Edition versions prior to 8.2: Temporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control.

Kingdee Cloud-Starry-Sky Enterprise Edition versions prior to 8.2: Install the security patch provided by the Starry Sky system, including adding authentication to the vulnerable `CMKAppWebHandler.ashx` interface and removing the file reading function.