CVE-2022-36537: ZK Framework vulnerable to malicious POST
(updated )
ZK Framework version 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
References
- github.com/advisories/GHSA-6278-2q4m-cmf3
- github.com/zkoss/zk
- github.com/zkoss/zk/commit/92a29aa9b1daf1fd2d9d188cb6545f0441d54e84
- nvd.nist.gov/vuln/detail/CVE-2022-36537
- tracker.zkoss.org/browse/ZK-5150
- www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw
- www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36537
Code Behaviors & Features
Detect and mitigate CVE-2022-36537 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →