Primary

Context

Juzaweb CMS Broken Access Control Vulnerability in Plugins Page

Vulnerability

A critical broken access control vulnerability has been identified in Juzaweb CMS versions through 3.4.2. This issue allows unprivileged users to access the Plugins Page in the admin panel, where they can list installed plugins and upload new ones, potentially including malicious code. The vulnerability arises from improper access controls in the plugin installation feature, which can be exploited remotely.

Impact

Exploitation of this vulnerability allows an attacker to enumerate installed plugins and upload plugins containing malicious code.

Reproduction

To reproduce this vulnerability, create a new user and assign it a role with all permissions disabled. Log in with this account and navigate to the plugin installation page in the admin panel. The user will be able to see a list of installed plugins and upload new ones.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

3.1

exploitability

6.8

remediation

0.0

relevance

0.1

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

3.1

exploitability

6.8

remediation

0.0

relevance

0.1

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Juzaweb CMS Broken Access Control Vulnerability in Plugins Page

Vulnerability

Impact

Reproduction

Affected Products

Juzaweb CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating