RSS   Vulnerabilities for 'Zzcms'   RSS

2018-09-17
 
CVE-2018-17136

CWE-89
 

 
zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header.

 
2018-09-02
 
CVE-2018-16344

CWE-22
 

 
An issue was discovered in zzcms 8.3. It allows remote attackers to delete arbitrary files via directory traversal sequences in the flv parameter. This can be leveraged for database access by deleting install.lock.

 
2018-08-20
 
CVE-2018-1000653

 

 
zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx.

 
2018-08-06
 
CVE-2018-14963

CWE-352
 

 
zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI.

 
 
CVE-2018-14962

CWE-79
 

 
zzcms 8.3 has stored XSS related to the content variable in user/manage.php and zt/show.php.

 
 
CVE-2018-14961

CWE-89
 

 
dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter.

 
2018-07-03
 
CVE-2018-13116

CWE-89
 

 
/user/del.php in zzcms 8.3 allows SQL injection via the tablename parameter after leveraging use of the zzcms_ask table.

 
2018-07-02
 
CVE-2018-13056

CWE-20
 

 
An issue was discovered on zzcms 8.3. There is a vulnerability at /user/del.php that can delete any file by placing its relative path into the zzcms_main table and then making an img add request. This can be leveraged for database access by deleting install.lock.

 
2018-04-06
 
CVE-2018-9331

CWE-22
 

 
An issue was discovered in zzcms 8.2. user/adv.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter. This can be leveraged for database access by deleting install.lock.

 
2018-04-04
 
CVE-2018-9309

CWE-89
 

 
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.

 


Copyright 2018, cxsecurity.com

 

Back to Top