ZwiiCMS Privilege Escalation Vulnerability in User Management Component
Vulnerability
A privilege escalation vulnerability has been identified in the user management component of ZwiiCMS versions prior to 13.6.07. This vulnerability allows remote, authenticated attackers to escalate privileges by sending specially crafted HTTP requests. Low-privilege users can access and modify the profile data of any other user, including administrators.
Impact
Exploitation of this vulnerability allows low-privilege users to access and modify the profile information of other users, including administrators. This could lead to full account takeover of administrative accounts by changing the associated email address and using the password reset function.
Remediation
Users are advised to update to ZwiiCMS version 13.6.08 or the latest available version, as these include stronger authorization controls. The developer has published a security patch in version 13.6.08, available on their official repository. Additionally, administrators are recommended to temporarily restrict the creation of new accounts, review access and activity logs, and apply extra controls on administrative functions and password recovery processes.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.