Admin
Monthly
Stored cross-site scripting (XSS) in z-9527 admin 1.0 and 2.0 allows authenticated remote attackers to inject malicious scripts via the Message Create Endpoint (/server/routes/message.js), affecting message content with user interaction required. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected installations without an official patch.
Privilege escalation in z-9527 admin 1.0/2.0 allows authenticated users to manipulate the isAdmin parameter in the User Update Endpoint (/server/routes/user.js) to gain administrative privileges through dynamically-determined object attributes. The vulnerability requires network access and valid credentials (PR:L per CVSS vector) but no user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving all versions in the 1.x and 2.x branches unpatched.
Path traversal in z-9527 admin's file upload function allows authenticated remote attackers to manipulate the fileType parameter in /server/utils/upload.js to access files outside the intended directory, potentially leading to information disclosure or file overwrite. The vulnerability affects all versions up to commit 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2, with publicly available exploit code documented and a CVSS score of 5.3 (low confidentiality, integrity, and availability impact). The vendor has not responded to early disclosure notification.
Stored cross-site scripting (XSS) in z-9527 admin 1.0 and 2.0 allows authenticated remote attackers to inject malicious scripts via the Message Create Endpoint (/server/routes/message.js), affecting message content with user interaction required. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected installations without an official patch.
Privilege escalation in z-9527 admin 1.0/2.0 allows authenticated users to manipulate the isAdmin parameter in the User Update Endpoint (/server/routes/user.js) to gain administrative privileges through dynamically-determined object attributes. The vulnerability requires network access and valid credentials (PR:L per CVSS vector) but no user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving all versions in the 1.x and 2.x branches unpatched.
Path traversal in z-9527 admin's file upload function allows authenticated remote attackers to manipulate the fileType parameter in /server/utils/upload.js to access files outside the intended directory, potentially leading to information disclosure or file overwrite. The vulnerability affects all versions up to commit 72aaf2dd05cf4ec2e98f390668b41e128eec5ad2, with publicly available exploit code documented and a CVSS score of 5.3 (low confidentiality, integrity, and availability impact). The vendor has not responded to early disclosure notification.