High severityCISA KEVNVD Advisory· Published Aug 26, 2022· Updated Oct 21, 2025
CVE-2022-36537
CVE-2022-36537
Description
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.zkoss.zk:zkMaven | < 8.6.4.2 | 8.6.4.2 |
org.zkoss.zk:zkMaven | >= 9.0.0.0, < 9.0.1.3 | 9.0.1.3 |
org.zkoss.zk:zkMaven | >= 9.5.0.0, < 9.5.1.4 | 9.5.1.4 |
org.zkoss.zk:zkMaven | >= 9.6.0.0, < 9.6.0.2 | 9.6.0.2 |
org.zkoss.zk:zkMaven | >= 9.6.1, < 9.6.2 | 9.6.2 |
Affected products
1- ZK Framework/ZK Frameworkdescription
Patches
13 files changed · +4 −11
zkdoc/release-note+1 −0 modified@@ -2,6 +2,7 @@ ZK 9.5.1.4 * Features * Bugs + ZK-5150: uploading issue * Upgrade Notes
zk/src/org/zkoss/zk/au/http/AuDropUploader.java+1 −4 modified@@ -98,7 +98,7 @@ public void service(HttpServletRequest request, HttpServletResponse response, St } final Map<String, String> attrs = new HashMap<String, String>(); - String alert = null, uuid = null, dtid = null, nextURI = null; + String alert = null, uuid = null, dtid = null; Desktop desktop = null; try { if (Strings.isEmpty(uuid = fetchParameter(request, "uuid", attrs))) @@ -110,7 +110,6 @@ public void service(HttpServletRequest request, HttpServletResponse response, St if (alert == null) { desktop = ((WebAppCtrl) sess.getWebApp()).getDesktopCache(sess).getDesktop(dtid); final Map<String, Object> params = parseRequest(request, desktop, ""); - nextURI = (String) params.get("nextURI"); processItems(desktop, params, attrs); } } catch (Throwable ex) { @@ -120,8 +119,6 @@ public void service(HttpServletRequest request, HttpServletResponse response, St if (uuid != null) attrs.put("uuid", uuid); } - if (nextURI == null) - nextURI = request.getParameter("nextURI"); if (ex instanceof ComponentNotFoundException) { alert = generateAlertMessage(MISSING_REQUIRED_COMPONENT, Messages.get(MZk.UPDATE_OBSOLETE_PAGE, uuid));
zk/src/org/zkoss/zk/au/http/AuUploader.java+2 −7 modified@@ -109,7 +109,7 @@ public void service(HttpServletRequest request, HttpServletResponse response, St } final Map<String, String> attrs = new HashMap<String, String>(); - String alert = null, uuid = null, nextURI = null, sid = null; + String alert = null, uuid = null, sid = null; Desktop desktop = null; try { if (!isMultipartContent(request)) { @@ -162,7 +162,6 @@ public void service(HttpServletRequest request, HttpServletResponse response, St } else { desktop = ((WebAppCtrl) sess.getWebApp()).getDesktopCache(sess).getDesktop(dtid); final Map<String, Object> params = parseRequest(request, desktop, uuid + '_' + sid); - nextURI = (String) params.get("nextURI"); processItems(desktop, params, attrs); } @@ -174,8 +173,6 @@ public void service(HttpServletRequest request, HttpServletResponse response, St if (uuid != null) attrs.put("uuid", uuid); } - if (nextURI == null) - nextURI = request.getParameter("nextURI"); if (ex instanceof ComponentNotFoundException) { alert = generateAlertMessage(MISSING_REQUIRED_COMPONENT, Messages.get(MZk.UPDATE_OBSOLETE_PAGE, uuid)); @@ -213,9 +210,7 @@ public void service(HttpServletRequest request, HttpServletResponse response, St if (log.isTraceEnabled()) log.trace(Objects.toString(attrs)); - if (nextURI == null || nextURI.length() == 0) - nextURI = "~./zul/html/fileupload-done.html.dsp"; - Servlets.forward(_ctx, request, response, nextURI, attrs, Servlets.PASS_THRU_ATTR); + Servlets.forward(_ctx, request, response, "~./zul/html/fileupload-done.html.dsp", attrs, Servlets.PASS_THRU_ATTR); } /** Handles the exception that was thrown when uploading files,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6278-2q4m-cmf3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36537ghsaADVISORY
- github.com/zkoss/zk/commit/92a29aa9b1daf1fd2d9d188cb6545f0441d54e84ghsaWEB
- tracker.zkoss.org/browse/ZK-5150ghsaWEB
- www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flawghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/mitre
News mentions
0No linked articles in our index yet.