Submit #381444: juzaweb.com juzaweb cms v3.4.2 Arbitrary File Readinfo

Titlejuzaweb.com juzaweb cms v3.4.2 Arbitrary File Read
DescriptionAfter logging into the administrator account, an attacker can modify the website templates through the "/admin-cp/theme/editor/default" page. By utilizing the source and include functions in Twig templates, the attacker can read files. Furthermore, due to the lack of strict filtering on the input file paths, the attacker can achieve arbitrary file reading using directory traversal techniques. ------POC------ {{ source('../../../../../../../../../../../../../../etc/passwd') }}
Source⚠️ https://github.com/DeepMountains/Mirage/blob/main/CVE9-1.md
User
 Dee.Mirage (ID 71702)
Submission07/29/2024 01:56 AM (2 months ago)
Moderation08/06/2024 08:41 AM (8 days later)
StatusAccepted
VulDB Entry273696
Points20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!