Juzaweb CMS Improper Authorization Vulnerability in Import Page

A critical vulnerability has been identified in Juzaweb CMS version 3.4.2, specifically within the Import Page component. The issue arises from an unknown function in the file '/admin-cp/imports', leading to improper authorization. This vulnerability allows unprivileged users to access functions related to file imports, enabling them to import arbitrary files into the CMS. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows low-privileged users to bypass authorization and import arbitrary files into the CMS, potentially leading to further exploitation or unauthorized access.

Reproduction

To reproduce this vulnerability, create a new user and assign it a role with all permissions disabled. Log in with this account and navigate to the '/admin-cp/imports' page. The user will be able to import files into the CMS, despite having no import permissions.