ZwiiCMS Denial-of-Service Vulnerability in Administrative Endpoints
Vulnerability
A denial-of-service vulnerability has been identified in ZwiiCMS versions prior to 13.7.00. This issue arises in multiple administrative endpoints and is caused by improper authorization checks and flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application correctly returns a '404 Not Found' response but mistakenly assigns a temporary lock on the targeted resource to the user's session before authorization is completed. This lock prevents other users, including administrators, from accessing the affected functionality until the session is terminated or the user navigates away from the page.
Impact
Exploitation of this vulnerability causes a lock persistence issue, where other users, including administrators, are denied access to certain administrative functionalities until the locking user leaves the page or their session ends.
Remediation
Users can update to ZwiiCMS version 13.7.00 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.