PT-2024-18628 · Zhicms · Zhicms
Linyz-Tel
·
Published
2024-02-29
·
Updated
2025-05-19
·
CVE-2024-2016
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ZhiCms version 4.0
Description
A critical issue was found in the function
index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the attack remotely.Recommendations
For ZhiCms version 4.0, consider disabling the
index function in the setcontroller.php file until a patch is available. Restrict access to the setcontroller.php file to minimize the risk of exploitation. Avoid using the sitename argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zhicms