关键信息 漏洞标题: Juzaweb CMS 3.4.2 Broken Access Control on "Add New Themes" Page 描述: An unprivileged user can upload new themes. 影响: By exploiting this vulnerability, a user with few privileges can install arbitrary themes into the CMS. 利用步骤: 1. Create a new user and add it to a role with all permissions disabled. 2. Log in with that user account. 3. Go to http://yourapplication.com/admin-cp/theme/install. 4. Note that the user can upload new themes to the CMS. 来源: https://github.com/CyberWoody/report/blob/main/juzawebcms/3.4.2/juzawebcms_unprivileged_user_upload_new_themes.md 提交者: Anonymous User 提交时间: 2023-05-25 07:51 PM (10 days ago) 审核状态: Open VulDB条目: [16801] juzaweb CMS 3.4.2 Add New Themes Page /admin-cp/theme/install improper authorization