.. / CVE-2022-36537

Exploit for ZK Framework - Information Disclosure (CVE-2022-36537)

Description:

ZK Framework 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 is susceptible to information disclosure. An attacker can access sensitive information via a crafted POST request to the component AuUploader and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized operations.

Nuclei Template

View the template here CVE-2022-36537.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2022/CVE-2022-36537.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2022-36537
https://github.com/Malwareman007/CVE-2022-36537/
https://github.com/ARPSyndicate/kenzer-templates
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/
https://tracker.zkoss.org/browse/ZK-5150