Login Sign Up

CVE-2024-10290

5.3 MEDIUM

📋 TL;DR

This vulnerability in ZZCMS 2023 allows remote attackers to access sensitive information through the file 3/qq-connect2.0/API/com/inc.php. The information disclosure could expose system details, configuration data, or other sensitive content. All users running ZZCMS 2023 are affected.

💻 Affected Systems

Products:
  • ZZCMS
Versions: 2023 version
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the qq-connect2.0 component in the 3/qq-connect2.0/API/com/inc.php file

📦 What is this software?

Zzcms by Zzcms

View all CVEs affecting Zzcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain sensitive configuration data, database credentials, or system information that could enable further attacks or data breaches.

🟠

Likely Case

Attackers access non-critical system information or configuration details that could aid in reconnaissance for additional attacks.

🟢

If Mitigated

Information exposure is limited to non-sensitive data or blocked by proper access controls and network segmentation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic skills

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or apply workarounds.

🔧 Temporary Workarounds

Restrict access to vulnerable file

all

Block direct access to the vulnerable inc.php file using web server configuration

# Apache: Add to .htaccess
<Files "inc.php">
    Order Allow,Deny
    Deny from all
</Files>
# Nginx: Add to server block
location ~* /3/qq-connect2.0/API/com/inc\.php$ {
    deny all;
    return 403;
}

Remove or rename vulnerable file

linux

Temporarily remove or rename the inc.php file to prevent exploitation

mv /path/to/3/qq-connect2.0/API/com/inc.php /path/to/3/qq-connect2.0/API/com/inc.php.bak

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to trusted IPs only
  • Deploy a web application firewall (WAF) with rules to block access to the vulnerable path

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[your-domain]/3/qq-connect2.0/API/com/inc.php. If it returns content instead of being blocked or returning an error, the system is vulnerable.

Check Version:

Check ZZCMS version in admin panel or configuration files

Verify Fix Applied:

After applying workarounds, attempt to access the vulnerable URL and verify it returns 403 Forbidden or is otherwise inaccessible.

📡 Detection & Monitoring

Log Indicators:

  • HTTP 200 responses to /3/qq-connect2.0/API/com/inc.php
  • Unusual access patterns to the qq-connect2.0 directory

Network Indicators:

  • HTTP GET requests to the vulnerable inc.php file from external IPs

SIEM Query:

source="web_server_logs" AND (uri="/3/qq-connect2.0/API/com/inc.php" OR uri LIKE "%/inc.php") AND status=200

📊 Metadata

CVE ID: CVE-2024-10290
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
Published: October 23, 2024
Last Updated: October 30, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10290, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)