CVE-2022-36537

CVSS 7.5 HIGHEPSS 95.3%● KEV

In short

ZK Framework has a flaw in the AuUploader component that allows attackers to access sensitive information by sending specially crafted POST requests. This exposes data that should be protected.

Technical detail

The AuUploader component in ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1 fails to properly validate or restrict access to sensitive data when processing POST requests. An unauthenticated attacker can exploit this by crafting malicious requests to the component, resulting in information disclosure without requiring prior authentication or special privileges.

Summary generated and translated by AI from the official description.

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

n/a · n/a

public PoCs found — 3

githubgithub.com/Malwareman007/CVE-2022-36537★ 36 githubgithub.com/agnihackers/CVE-2022-36537-EXPLOIT★ 9 githubgithub.com/ethan-repo-lab4b6/CVE-2022-36537★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://tracker.zkoss.org/browse/ZK-5150 https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36537