Attack vector(s):
zzcms is a set of content management system (CMS) of China's zzcms team.
The zzcms 2022 version has a vulnerability that the zzcms management landing page leaks absolute path information. An unauthenticated attacker can obtain the error information showing the location (absolute path) of the application returned by the server by visiting "/admin/index.PHP? _server" on the zzcms management login page.
CVE-2022-40444
Discoverer:Yuan Lirong
Attack vector(s):
zzcms is a set of content management system (CMS) of China's zzcms team.
The zzcms 2022 version has a vulnerability that the zzcms management landing page leaks absolute path information. An unauthenticated attacker can obtain the error information showing the location (absolute path) of the application returned by the server by visiting "/admin/index.PHP? _server" on the zzcms management login page.
Product:
ZZCMS
Version:
ZZCMS 2022
Vendor Homepage:
http://www.zzcms.net/
Software Link:
http://www.zzcms.net/download/zzcms2022.zip
or
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip
POC:
Request "/admin/index php?_ Server", Response error information returned by the server showing the location (absolute path) of the application.
Affected pages:
All pages that contain page /admin/index php?_ Server
The text was updated successfully, but these errors were encountered: