CVE-2022-28521

Name of the Vulnerable Software and Affected Versions ZCMS version v20170206

Description A file inclusion issue was discovered in ZCMS, which can be exploited via the "index.php" endpoint with specific parameters, including m, c, and a. The vulnerability is triggered when an attacker manipulates the a parameter, set to sp set config, allowing for potential malicious file inclusion.

Recommendations For ZCMS version v20170206, as a temporary workaround, consider restricting access to the "index.php" endpoint with the m=home, c=home, and a=sp set config parameters until a patch is available. Avoid using the a parameter with the value sp set config in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.