CVE-2022-36537: Exposure of Sensitive Information to an Unauthorized Actor

August 27, 2022 (updated September 16, 2022)

ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

References

github.com/advisories/GHSA-6278-2q4m-cmf3
nvd.nist.gov/vuln/detail/CVE-2022-36537
tracker.zkoss.org/browse/ZK-5150

Detect and mitigate CVE-2022-36537 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →