CVE-2021-47724

STVS ProVision 5.9.10 contains a path traversal vulnerability that allows authenticated attackers to access arbitrary files by manipulating the files parameter in the archive download functionality. Attackers can send GET requests to /archive/download with directory traversal sequences to read sensitive system files like /etc/passwd.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.stvs.ch	Not Applicable
https://www.exploit-db.com/exploits/49481	Exploit Technical Description
https://www.vulncheck.com/advisories/stvs-provision-authenticated-file-disclosure-via-archiverb	Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5623.php	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:stvs:provision:5.5:::::::*
	cpe:2.3:a:stvs:provision:5.6:::::::*
	cpe:2.3:a:stvs:provision:5.7:::::::*
	cpe:2.3:a:stvs:provision:5.8.6:::::::*
	cpe:2.3:a:stvs:provision:5.9.0:::::::*
	cpe:2.3:a:stvs:provision:5.9.1:::::::*
	cpe:2.3:a:stvs:provision:5.9.7:::::::*
	cpe:2.3:a:stvs:provision:5.9.9:::::::*
	cpe:2.3:a:stvs:provision:5.9.10:::::::*

History

13 Feb 2026, 17:35

Type	Values Removed	Values Added
References	~~() http://www.stvs.ch -~~	() http://www.stvs.ch - Not Applicable
References	~~() https://www.exploit-db.com/exploits/49481 -~~	() https://www.exploit-db.com/exploits/49481 - Exploit, Technical Description
References	~~() https://www.vulncheck.com/advisories/stvs-provision-authenticated-file-disclosure-via-archiverb -~~	() https://www.vulncheck.com/advisories/stvs-provision-authenticated-file-disclosure-via-archiverb - Third Party Advisory
References	~~() https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5623.php -~~	() https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5623.php - Third Party Advisory
First Time		Stvs provision Stvs
CPE		cpe:2.3:a:stvs:provision:5.6:::::::* cpe:2.3:a:stvs:provision:5.8.6:::::::* cpe:2.3:a:stvs:provision:5.9.7:::::::* cpe:2.3:a:stvs:provision:5.5:::::::* cpe:2.3:a:stvs:provision:5.9.9:::::::* cpe:2.3:a:stvs:provision:5.9.10:::::::* cpe:2.3:a:stvs:provision:5.7:::::::* cpe:2.3:a:stvs:provision:5.9.1:::::::* cpe:2.3:a:stvs:provision:5.9.0:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

09 Dec 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-09 21:15

Updated : 2026-02-13 17:35

NVD link : CVE-2021-47724

Mitre link : CVE-2021-47724

CVE.ORG link : CVE-2021-47724

JSON object : View

Products Affected

stvs

provision

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

6.5 /10