| tiêu đề | Juzaweb Juzaweb CMS 3.4.2 Broken Access Control on “Error Logs" Page |
|---|
| Mô tả | Vulnerability Description
An unprivileged user can list and delete the logs generated by the CMS.
Impact
By exploiting this vulnerability, a malicious user can consult the CMS error logs to better understand the general functioning of the application, as well as delete logs with the intention of hiding malicious activities.
To reproduce:
1) Create a new user and add it to a role with all permissions disabled;
2) Log in with this user's account;
3) Access the address http://your-application.com/admin-cp/log-viewer ;
4) Note that the user can access the application's error logs and deleting these logs. |
|---|
| Nguồn | ⚠️ https://github.com/Cyber-Wo0dy/report/blob/main/juzawebcms/3.4.2/juzawebcms_unprivileged_user_list_delete_logs.md |
|---|
| Người dùng | Anonymous User |
|---|
| Đệ trình | 24/05/2025 03:00 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 01/06/2025 12:48 (8 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 310761 [juzaweb CMS đến 3.4.2 Error Logs Page /admin-cp/log-viewer nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|