ZZCMS is prone to a path traversal vulnerability because it fails to properly validate user-supplied input in the '/one/siteinfo.php' path. An attacker can exploit this to construct a path that enables them to send a request to any file on the system via a GET request. For example, if an attacker sends a GET request to '/one/siteinfo.php?site=foo&site=bar', they can access files on the system via the site=foo and site=bar variables. An attacker can leverage this vulnerability to retrieve remote system files, inject malicious code, or execute commands on the system. ZZCMS should be upgraded to version 2022.17.19 or higher to correct this issue. ZZCMS is prone to a path traversal vulnerability because it fails to properly validate user-supplied input in the '/one/siteinfo.php' path. An attacker can exploit this to construct a path that enables them to send a request to any file on the system via a GET request. For example, if an attacker sends a GET request to '/one/siteinfo.php?site=foo&site=bar', they can access files on the system via the site=foo and site=bar variables. An attacker can leverage this vulnerability to retrieve remote system files, inject malicious code, or execute commands on the system. ZZCMS should be upgraded to version 2022.17.19 or higher to correct this

Summary

ZZCMS is prone to a path traversal vulnerability because it fails to properly validate user-supplied input in the '/one/siteinfo.php' path. An attacker can exploit this to construct a path that enables them to send a request to any file on the system via a GET request. For example, if an attacker sends a GET request to '/one/siteinfo.php?site=foo&site=bar', they can access files on the system via the site=foo and site=bar variables. An attacker can leverage this vulnerability to retrieve remote system files, inject malicious code, or execute commands on the system. ZZCMS should be upgraded to version 2022.17.19 or higher to correct this issue.>>END>>

Description of ZZCMS Vulnerability

ZZCMS is prone to a path traversal vulnerability because it fails to properly validate user-supplied input in the '/one/siteinfo.php' path. An attacker can exploit this to construct a path that enables them to send a request to any file on the system via a GET request. For example, if an attacker sends a GET request to '/one/siteinfo.php?site=foo&site=bar', they can access files on the system via the site=foo and site=bar variables. An attacker can leverage this vulnerability to retrieve remote system files, inject malicious code, or execute commands on the system. ZZCMS should be upgraded to version 2022.17.19 or higher to correct this issue.

Timeline

Published on: 09/22/2022 14:15:00 UTC
Last modified on: 09/23/2022 18:47:00 UTC

References