ZK CKEditor allows file browsing for arbitrary folders.

The attacker can find out filenames on the server, discover folders and other information. Even though in code the "WEB-INF" and "META-INF" paths are "ignored", if they are set as browsing roots, their content is showed*.

The parameter "Type" needs to be changed to "Files", parameter "url" denotes the folder within the webroot.

See live demo here:
https://www.zkoss.org/zkdemo/zkau/web/bb1940f4/ckez/html/browse.zul?Type=Files&url=/WEB-INF/&CKEditor=aLGPn-cnt&CKEditorFuncNum=2&langCode=en

• - limited to extensions as can be seen in the source of ZK CKEditor - .jsp .php etc.