CVE-2024-25414

Name of the Vulnerable Software and Affected Versions CSZ CMS version 1.3.0

Description The issue is an arbitrary file upload vulnerability in the /admin/upgrade component, which allows attackers to execute arbitrary code by uploading a crafted Zip file. This vulnerability can be exploited by uploading a specially crafted Zip file to the /admin/upgrade component. There is no information provided about whether this vulnerability has been exploited by attackers or if there is a public exploit available.

Recommendations For CSZ CMS version 1.3.0, as a temporary workaround, consider disabling the /admin/upgrade component until a patch is available. Restrict access to the /admin/upgrade component to minimize the risk of exploitation. Avoid using the /admin/upgrade component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.