Home

Description

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.

PUBLISHED Reserved 2025-04-15 | Published 2025-12-31 | Updated 2026-01-05 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-667 Improper Locking

CWE-863 Incorrect Authorization

Product status

Default status
unknown

Any version before 13.7.00
affected

Credits

Matías Schiappacasse finder

References

github.com/fredtempez/ZwiiCMS product

codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00 release-notes patch

www.vulncheck.com/...icated-dos-against-administrative-pages third-party-advisory

cve.org (CVE-2025-34467)

nvd.nist.gov (CVE-2025-34467)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.