| عنوان | juzaweb.com juzaweb cms v3.4.2 Arbitrary File Read |
|---|
| الوصف | After logging into the administrator account, an attacker can modify the website templates through the "/admin-cp/theme/editor/default" page. By utilizing the source and include functions in Twig templates, the attacker can read files. Furthermore, due to the lack of strict filtering on the input file paths, the attacker can achieve arbitrary file reading using directory traversal techniques.
------POC------
{{ source('../../../../../../../../../../../../../../etc/passwd') }}
|
|---|
| المصدر | ⚠️ https://github.com/DeepMountains/Mirage/blob/main/CVE9-1.md |
|---|
| المستخدم | Dee.Mirage (UID 71702) |
|---|
| ارسال | 29/07/2024 01:56 AM (2 سنوات منذ) |
|---|
| الاعتدال | 06/08/2024 08:41 AM (8 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 273696 [juzaweb CMS حتى 3.4.2 Theme Editor default اجتياز الدليل] |
|---|
| النقاط | 20 |
|---|