Home

Description

EN DE

A weakness has been identified in SeriaWei ZKEACMS up to 4.3. This issue affects the function Download of the file EventViewerController.cs. Executing manipulation of the argument ID can lead to path traversal. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Es wurde eine Schwachstelle in SeriaWei ZKEACMS bis 4.3 entdeckt. Davon betroffen ist die Funktion Download der Datei EventViewerController.cs. Die Bearbeitung des Arguments ID verursacht path traversal. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit wurde der Öffentlichkeit bekannt gemacht und könnte verwendet werden.

PUBLISHED Reserved 2025-09-20 | Published 2025-09-21 | Updated 2025-09-22 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
4.0AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR

Problem types

Path Traversal

Product status

4.0
affected

4.1
affected

4.2
affected

4.3
affected

Timeline

2025-09-20:Advisory disclosed
2025-09-20:VulDB entry created
2025-09-20:VulDB entry last update

Credits

Yu Bao (VulDB User) reporter

References

vuldb.com/?id.325121 (VDB-325121 | SeriaWei ZKEACMS EventViewerController.cs Download path traversal) vdb-entry technical-description

vuldb.com/?ctiid.325121 (VDB-325121 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.650445 (Submit #650445 | SeriaWei ZKEACMS v4.3 Arbitrary File Reading) third-party-advisory

github.com/August829/YU1/issues/1 exploit issue-tracking

cve.org (CVE-2025-10766)

nvd.nist.gov (CVE-2025-10766)

Download JSON