| 제목 | juzaweb.com juzaweb cms v3.4.2 Arbitrary File Read |
|---|
| 설명 | After logging into the administrator account, an attacker can modify the website templates through the "/admin-cp/theme/editor/default" page. By utilizing the source and include functions in Twig templates, the attacker can read files. Furthermore, due to the lack of strict filtering on the input file paths, the attacker can achieve arbitrary file reading using directory traversal techniques.
------POC------
{{ source('../../../../../../../../../../../../../../etc/passwd') }}
|
|---|
| 원천 | ⚠️ https://github.com/DeepMountains/Mirage/blob/main/CVE9-1.md |
|---|
| 사용자 | Dee.Mirage (UID 71702) |
|---|
| 제출 | 2024. 07. 29. AM 01:56 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 08. 06. AM 08:41 (8 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 273696 [juzaweb CMS 까지 3.4.2 Theme Editor default 디렉토리 순회] |
|---|
| 포인트들 | 20 |
|---|