| tiêu đề | Juzaweb Juzaweb CMS 3.4.2 Broken Access Control on “Plugins" Page |
|---|
| Mô tả | Vulnerability Description
An unprivileged user can list and install plugins in the CMS.
Impact
By exploiting this vulnerability, an attacker can enumerate the plugins installed in the CMS, as well as install a plugin with malicious code.
To reproduce:
1) Create a new user and add it to a role with all permissions disabled;
2) Log in with that user's account;
3) Access the address http://your-application.com/admin-cp/plugin/install ;
4) Note that the user can list the installed plugins, as well as upload new plugins. |
|---|
| Nguồn | ⚠️ https://github.com/Cyber-Wo0dy/report/blob/main/juzawebcms/3.4.2/juzawebcms_unprivileged_user_list_install_plugins.md |
|---|
| Người dùng | Anonymous User |
|---|
| Đệ trình | 24/05/2025 03:01 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 01/06/2025 12:48 (8 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 310762 [juzaweb CMS đến 3.4.2 Plugins Page /admin-cp/plugin/install nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|