PT-2025-37724 · Zkeacms · Zkeacms
Yu_Bao
·
Published
2025-09-15
·
Updated
2025-10-14
·
CVE-2025-10471
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ZKEACMS version 4.3
Description
A server-side request forgery issue exists in ZKEACMS 4.3. The
Proxy function within the src/ZKEACMS/Controllers/MediaController.cs file is susceptible to manipulation of the url argument, leading to server-side request forgery. The attack can be initiated remotely, and the exploit is publicly available.Recommendations
As a temporary workaround, consider disabling the
Proxy function in src/ZKEACMS/Controllers/MediaController.cs until a patch is available.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zkeacms