Description

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.

Related CPE's

Could not find any relations

References

https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00

https://github.com/fredtempez/ZwiiCMS

https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages

Weaknesses

[email protected]

Primary
CWE-667CWE-863

CVSS impact metrics

Missing metrics for CVSS V

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Awaiting analysis

Published

2025-12-31T19:15:43.753

2 hours ago

Last modified

2025-12-31T20:42:15.637

1 hour ago