7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36537

CVE-2022-36537: ZK Framework vulnerable to malicious POST

ZK Framework version 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-36537

CVE-2022-36537:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.zkoss.zk:zk	maven	< 8.6.4.2	8.6.4.2
org.zkoss.zk:zk	maven	>= 9.0.0.0, < 9.0.1.3	9.0.1.3
org.zkoss.zk:zk	maven	>= 9.5.0.0, < 9.5.1.4	9.5.1.4
org.zkoss.zk:zk	maven	>= 9.6.0.0, < 9.6.0.2	9.6.0.2
org.zkoss.zk:zk	maven	>= 9.6.1, < 9.6.2	9.6.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of the 'nextURI' parameter in AuUploader and AuDropUploader servlets. The patch removes all references to 'nextURI' parameter processing and hardcodes the forward destination, indicating that user-controlled URI redirection was the root cause. The CVE description explicitly mentions exploitation via crafted POST requests to AuUploader, and the commit diff shows removal of 'nextURI' handling in both classes' service methods. This parameter allowed attackers to force the server to forward requests to internal resources like WEB-INF files.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-36537: ZK Framework vulnerable to malicious POST

CVE-2022-36537:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2022-36537: ZK Framework vulnerable to malicious POST

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.5

7.5

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI