Attack vector(s):
zzcms is a set of content management system (CMS) of China's zzcms team.
Absolute path information disclosure vulnerability exists in zzcms 2022. An unauthenticated attacker can take advantage of this vulnerability by sending a get request to "/one/siteinfo.php" (the get request is changed to "//one/siteinfo.php") to obtain the error information returned by the server showing the location (absolute path) of the application.
POC:
get request to "/one/siteinfo.php" changed to "//one/siteinfo.php", to obtain the error information returned by the server showing the location (absolute path) of the application.
Affected pages:
All pages that contain page /one/siteinfo.php
The text was updated successfully, but these errors were encountered:
CVE-2022-40443
Discoverer:Yuan Lirong
Attack vector(s):
zzcms is a set of content management system (CMS) of China's zzcms team.
Absolute path information disclosure vulnerability exists in zzcms 2022. An unauthenticated attacker can take advantage of this vulnerability by sending a get request to "/one/siteinfo.php" (the get request is changed to "//one/siteinfo.php") to obtain the error information returned by the server showing the location (absolute path) of the application.
Product:
ZZCMS
Version:
ZZCMS 2022
Vendor Homepage:
http://www.zzcms.net/
Software Link:
http://www.zzcms.net/download/zzcms2022.zip
or
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip
POC:
get request to "/one/siteinfo.php" changed to "//one/siteinfo.php", to obtain the error information returned by the server showing the location (absolute path) of the application.
Affected pages:
All pages that contain page /one/siteinfo.php
The text was updated successfully, but these errors were encountered: