CVE-2024-0603

Name of the Vulnerable Software and Affected Versions ZhiCms versions up to 4.0

Description A critical vulnerability has been found in ZhiCms, affecting an unknown part of the file app/plug/controller/giftcontroller.php. The manipulation of the mylike argument leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability is related to deficiencies in the deserialization mechanism, which may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For ZhiCms versions up to 4.0, as a temporary workaround, consider disabling the deserialization of the mylike argument in the giftcontroller.php file until a patch is available. Restrict access to the app/plug/controller/giftcontroller.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.