CVE-2025-1818
Published: 02 March 2025
Description
A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. This issue affects some unknown processing of the file src/main/java/com/futvan/z/system/zfile/ZfileAction.upload. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1818 is a critical vulnerability in zj1983 zz versions up to 2024-8, affecting the processing of file uploads in the component src/main/java/com/futvan/z/system/zfile/ZfileAction.upload. The flaw enables unrestricted file upload through manipulation of the "file" argument and can be triggered remotely.
A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation leads to low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) within unchanged scope (S:U), as reflected in its CVSS 3.1 base score of 6.3. The issue maps to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
Advisories detailing the vulnerability are published on VulDB, including entry IDs at https://vuldb.com/?ctiid.298091 and https://vuldb.com/?id.298091, with additional disclosure at https://www.yuque.com/u123456789-6sobi/cdgcbq/bg2g3eit41o4cpd4. The exploit has been publicly disclosed and may be used, but the vendor was contacted early and provided no response; no patches or specific mitigations are referenced.
The vulnerability was published on 2025-03-02, and while the exploit is available, no real-world exploitation in the wild is noted in available details.
Details
- CWE(s)