CVE-2022-36537

Exposure of Sensitive Information to an Unauthorized Actor in maven/org.zkoss.zk/zk

Identifiers

GHSA-6278-2q4m-cmf3, CVE-2022-36537

Package Slug

maven/org.zkoss.zk/zk

Vulnerability

Exposure of Sensitive Information to an Unauthorized Actor

Description

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

Affected Versions

All versions before 8.6.4.2, all versions starting from 9.0.0.0 before 9.0.1.3, all versions starting from 9.5.0.0 before 9.5.1.4, all versions starting from 9.6.0.0 before 9.6.0.2, all versions starting from 9.6.1 before 9.6.2

Solution

Upgrade to versions 8.6.4.2, 9.0.1.3, 9.5.1.4, 9.6.0.2, 9.6.2 or above.

Last Modified

2022-09-19

source