ZwiiCMS < 13.7.00 Lock Persistence Authenticated DoS Against Administrative Pages

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.

Basic Information

ID CVE-2025-34467

Source VulnCheck

Published Dec 31, 2025 at 18:39

Affected Product

Vendor fredtempez

Product ZwiiCMS

Affected Versions fredtempez ZwiiCMS 0

CWE Classification

CWE-667 CWE-863

References

{
    "lastseen": "",
    "description": "ZwiiCMS\u00a0versions prior to\u00a013.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns \"404 Not Found\" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.",
    "published": "2025-12-31T18:39:35.214Z",
    "modified": "2025-12-31T18:39:35.214Z",
    "type": "cve",
    "title": "ZwiiCMS < 13.7.00 Lock Persistence Authenticated DoS Against Administrative Pages",
    "source": "VulnCheck",
    "references": "https://github.com/fredtempez/ZwiiCMS\nhttps://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00\nhttps://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages",
    "id": "CVE-2025-34467",
    "bulletinFamily": "",
    "cwe": [
        "CWE-667",
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "fredtempez ZwiiCMS 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ZwiiCMS",
    "version": "0",
    "vendor": "fredtempez",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ZwiiCMS < 13.7.00 Lock Persistence Authenticated DoS Against Administrative Pages_CVE-2025-34467