CVE-2023-46906
Description
Juzaweb CMS ≤3.4 has an incorrect access control vulnerability via unvalidated timezone field, causing application outage on HTTP 500.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Juzaweb CMS ≤3.4 has an incorrect access control vulnerability via unvalidated timezone field, causing application outage on HTTP 500.
Vulnerability
Overview Juzaweb CMS versions up to and including 3.4 are vulnerable to an incorrect access control issue due to improper validation of the timezone field. A crafted payload can trigger a 500 HTTP status code, leading to an application outage. [2]
Exploitation
An attacker can exploit this vulnerability by sending a malicious timezone value in a request. No authentication is required if the field is user-controllable. The lack of validation allows the payload to cause a server-side error, resulting in a persistent denial-of-service condition. [2]
Impact
Successful exploitation renders the application unavailable, denying service to legitimate users. The outage persists until the malicious input is removed or the system is restored. [2]
Mitigation
No official patch has been released as of the publication date. Users should implement strict input validation for the timezone field or restrict access to that parameter until a fix is available. [2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
juzaweb/cmsPackagist | <= 3.4 | — |
Affected products
2- juzaweb/juzawebdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to correctly validate the payload in the timezone field, leading to an authorization bypass."
Attack vector
An unauthenticated attacker can exploit this vulnerability by sending a crafted payload in the timezone field. This payload bypasses access control checks, resulting in an application outage characterized by a 500 HTTP status code. The vulnerability is present in versions of juzaweb up to and including 3.4 [ref_id=1].
Affected code
The vulnerability lies within the handling of the timezone field, where input validation is insufficient. This allows for improper access control, leading to application instability [ref_id=1].
What the fix does
The advisory does not provide specific details about the patch or remediation steps. However, it indicates that the vulnerability is due to incorrect access control stemming from a failure to properly validate the timezone field's payload [ref_id=1]. Updating to a version of juzaweb later than 3.4 is recommended.
Preconditions
- configThe affected software is juzaweb version 3.4 or earlier.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.