Server-Side Request Forgery in CSZCMS v1.3.0 by CSZCMS
CVE-2022-28997

7.5HIGH

Key Information:

Vendor

Cszcms

Status
Cszcms
Vendor
CVE Published:
23 May 2022

What is CVE-2022-28997?

CSZCMS version 1.3.0 is susceptible to a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to manipulate server requests. By exploiting this vulnerability, an attacker could initiate requests from the server to internal resources, potentially leading to unauthorized access to sensitive files. This vulnerability can be further exploited through local file inclusion at the endpoint /admin/filemanager/connector/, thereby exposing critical data stored on the server, which presents a significant security risk.

References

https://packetstormsecurity.com/files/166613/CSZCMS-1.3.0...
x_refsource_MISC
https://i.imgur.com/pzWjkXI.png
x_refsource_MISC
https://i.imgur.com/xxjxnGk.png
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2022-28997 : Server-Side Request Forgery in CSZCMS v1.3.0 by CSZCMS