{"id":"CVE-2022-36537","details":"ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.","aliases":["GHSA-6278-2q4m-cmf3"],"modified":"2026-03-13T05:56:31.680593Z","published":"2022-08-26T20:15:08.303Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-36537"},{"type":"ADVISORY","url":"https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/"},{"type":"FIX","url":"https://tracker.zkoss.org/browse/ZK-5150"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zkoss/zk","events":[{"introduced":"0"},{"fixed":"4271cf0b0a9a1686fafc43af169bc3768f57cba0"},{"introduced":"6c6f10ad57143191b1fb21c1794cbabc504a858c"},{"fixed":"9b0d586e384f0962798ece209dcf30ccd9cc35f3"},{"introduced":"9ed43004a2cf446d06f6003969b8807339e829b1"},{"fixed":"901c4a647002475d126fda878f4b3bbb2290fba9"},{"introduced":"d37dc80e9414849536f12d41b5ef766d02058046"},{"fixed":"fa2007a98b562012b42734def9373f1d5e456897"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.6.4.2"},{"introduced":"9.0.0"},{"fixed":"9.0.1.3"},{"introduced":"9.5.0"},{"fixed":"9.5.1.3"},{"introduced":"9.6.0"},{"fixed":"9.6.2"}]}}],"versions":["v8.6.4","v9.0.0","v9.0.0.1","v9.0.1","v9.0.1.1","v9.0.1.2","v9.1.0","v9.5.0","v9.5.0.1","v9.5.0.2","v9.5.1","v9.5.1.1","v9.5.1.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36537.json","vanir_signatures":[{"source":"https://github.com/zkoss/zk/commit/4271cf0b0a9a1686fafc43af169bc3768f57cba0","deprecated":false,"target":{"file":"zk/src/org/zkoss/zk/Version.java"},"signature_type":"Line","id":"CVE-2022-36537-291c1c74","digest":{"threshold":0.9,"line_hashes":["117576616078778999642976925321291918973","333628973242060767816104327271779652870"]},"signature_version":"v1"},{"source":"https://github.com/zkoss/zk/commit/fa2007a98b562012b42734def9373f1d5e456897","deprecated":false,"target":{"file":"zk/src/org/zkoss/zk/Version.java"},"signature_type":"Line","id":"CVE-2022-36537-3a076a92","digest":{"threshold":0.9,"line_hashes":["65590753180256321531435750335816438997","149143847992644947948913359545227319018"]},"signature_version":"v1"},{"source":"https://github.com/zkoss/zk/commit/9b0d586e384f0962798ece209dcf30ccd9cc35f3","deprecated":false,"target":{"file":"zk/src/org/zkoss/zk/Version.java"},"signature_type":"Line","id":"CVE-2022-36537-8f60720d","digest":{"threshold":0.9,"line_hashes":["7365089467909330125349943113272355522","47332037741835786028406970016400998198"]},"signature_version":"v1"},{"source":"https://github.com/zkoss/zk/commit/901c4a647002475d126fda878f4b3bbb2290fba9","deprecated":false,"target":{"file":"zk/src/org/zkoss/zk/Version.java"},"signature_type":"Line","id":"CVE-2022-36537-a081c810","digest":{"threshold":0.9,"line_hashes":["137711726433433016033059931372245228343","202631413215551158619460968328017010123"]},"signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}