Critical Code Injection Vulnerability in wuzhicms 4.1.0

CVE-2024-10505

7.2HIGH

Key Information

Vendor: wuzhicms
Status: Wuzhicms
Vendor: CVE Published:; 30 October 2024

Summary

A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Initially two separate issues were created by the researcher for the different function calls. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Version(s)

wuzhicms = 4.1.0

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 6.3 - (MEDIUM)
Oct 30, 2024
Vulnerability published.
Oct 30, 2024
VulDB entry last update
Oct 29, 2024
Vulnerability Reserved.
Oct 29, 2024
VulDB entry created
Oct 29, 2024
Advisory disclosed
Oct 29, 2024

Collectors

NVD DatabaseMitre Database

Credit

LVZC (VulDB User)