CVE-2024-44820
04.09.2024, 15:15
A sensitive information disclosure vulnerability exists in ZZCMS v.2023 and before within the eginfo.php file located at /3/E_bak5.1/upload/. When accessed with the query parameter phome=ShowPHPInfo, the application executes the phpinfo() function, which exposes detailed information about the PHP environment, including server configuration, loaded modules, and environment variables.
| Vendor | Product | Version |
|---|---|---|
| zzcms | zzcms | 𝑥 ≤ 2023 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.