vendor:
Zomplog
by:
Dj7xpl
N/A
CVSS
HIGH
Remote File Disclosure
CWE
Product Name: Zomplog
Affected Version From: Zomplog v3.8
Affected Version To: Zomplog v3.8
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
Zomplog v3.8 Remote File Disclosure Vulnerability
The vulnerability allows an attacker to disclose files remotely by exploiting the force_download.php file in Zomplog v3.8. By manipulating the 'file' parameter in the URL, an attacker can access files on the server that are not intended to be publicly accessible.
Mitigation:
The vendor should release a patch to fix the vulnerability. In the meantime, users are advised to restrict access to the force_download.php file and ensure that sensitive files are not stored in publicly accessible directories.