CVE-2025-34467

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management. When an authenticated low-privilege user requests an administrative page, the application returns "404 Not Found" as expected, but incorrectly acquires and associates a temporary lock on the targeted resource with the attacker session prior to authorization. This lock prevents other users, including administrators, from accessing the affected functionality until the attacker navigates away or the session is terminated.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00	Release Notes
https://github.com/fredtempez/ZwiiCMS	Product
https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zwiicms:zwiicms:*:*:*:*:*:*:*:*

History

17 Jun 2026, 09:14

Type	Values Removed	Values Added
Summary		(es) Las versiones de ZwiiCMS anteriores a la 13.7.00 contienen una vulnerabilidad de denegación de servicio en múltiples puntos finales administrativos debido a comprobaciones de autorización incorrectas combinadas con una gestión de estado de recursos defectuosa. Cuando un usuario autenticado con bajos privilegios solicita una página administrativa, la aplicación devuelve '404 Not Found' como se espera, pero adquiere y asocia incorrectamente un bloqueo temporal en el recurso objetivo con la sesión del atacante antes de la autorización. Este bloqueo impide que otros usuarios, incluidos los administradores, accedan a la funcionalidad afectada hasta que el atacante se aleje o la sesión se termine.

02 Feb 2026, 18:36

Type	Values Removed	Values Added
First Time		Zwiicms Zwiicms zwiicms
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
References	~~() https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00 -~~	() https://codeberg.org/fredtempez/ZwiiCMS/releases/tag/13.7.00 - Release Notes
References	~~() https://github.com/fredtempez/ZwiiCMS -~~	() https://github.com/fredtempez/ZwiiCMS - Product
References	~~() https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages -~~	() https://www.vulncheck.com/advisories/zwiicms-lock-persistence-authenticated-dos-against-administrative-pages - Third Party Advisory
CPE		cpe:2.3:a:zwiicms:zwiicms::::::::

31 Dec 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-31 19:15

Updated : 2026-06-17 09:14

NVD link : CVE-2025-34467

Mitre link : CVE-2025-34467

CVE.ORG link : CVE-2025-34467

JSON object : View

Products Affected

zwiicms

zwiicms

CWE

CWE-667

Improper Locking

CWE-863

Incorrect Authorization

4.3 /10