| Title | SeriaWei ZKEACMS ZKEACMS.v4.3 ssrf |
|---|
| Description | In ZKEACMS Enterprise v.4.3, the default ZKEACMS.SEOSuggestions component contains CheckPage and Suggestions methods. While these methods are limited to checking the current page on the front end, this restriction is not enforced in back-end requests. Furthermore, there is no validation or filtering of the URL's host or scheme, which allows an authenticated administrator to force the server to issue arbitrary HTTP/HTTPS requests to internal or external network resources. |
|---|
| Source | ⚠️ https://github.com/wooyun123/wooyun/issues/1 |
|---|
| User | jiazhou (UID 89028) |
|---|
| Submission | 09/04/2025 18:29 (9 months ago) |
|---|
| Moderation | 09/20/2025 10:47 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 325120 [SeriaWei ZKEACMS up to 4.3 SEOSuggestions ZKEACMS.SEOSuggestions.dll CheckPage/Suggestions server-side request forgery] |
|---|
| Points | 20 |
|---|