CVE-2018-13980
published 2018-07-16CVE-2018-13980: The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is…
PriorityP343medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EXPLOIT
EPSS
6.90%
93.3th percentile
The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin "filebrowser" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zeta-producer | zeta_producer | < 14.2.1 | 14.2.1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure
exploitdb·2018-07-13·CVSS 5.5
CVE-2018-13981 [MEDIUM] Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure
Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure
---
SEC Consult Vulnerability Lab Security Advisory
title: Remote Code Execution & Local File Disclosure
product: Zeta Producer Desktop CMS
vulnerable version: =14.2.1
CVE number: CVE-2018-13981, CVE-2018-13980
impact: critical
homepage: https://www.zeta-producer.com
found: 2017-11-25
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
Vendor description:
"With Zeta Producer, the website builder and online shop system for Windows,
you can create and manage your website locally, on your computer.
Get without expertise in 3 steps to your own homepage: select design,
paste content, publish website. Finishe
Nuclei
Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion
nuclei·CVSS 5.5
CVE-2018-13980 [MEDIUM] Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion
Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion
Zeta Producer Desktop CMS before 14.2.1 is vulnerable to local file inclusion if the plugin "filebrowser" is installed because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
Template:
id: CVE-2018-13980
info:
name: Zeta Producer Desktop CMS <14.2.1 - Local File Inclusion
author: wisnupramoedya
severity: medium
description: Zeta Producer Desktop CMS before 14.2.1 is vulnerable to local file inclusion if the plugin "filebrowser" is installed because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.
impact: |
An attacker can exploit this vulnerability to access sensitive information, such as configuration files, credentials, or other sensitive data stored on the server.
remedi
http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.htmlhttps://www.exploit-db.com/exploits/45016/https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/http://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.htmlhttps://www.exploit-db.com/exploits/45016/https://www.sec-consult.com/en/blog/advisories/remote-code-execution-local-file-disclosure-zeta-producer-desktop-cms/
2018-07-16
Published