220 matches found
CVE-2018-9153
The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the appid parameter to zbusers/plugin/AppCentre/pluginedit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directl...
CVE-2018-9169
CVE-2018-9169 affects Z-BlogPHP 1.5.1 with a Cross-Site Scripting (XSS) vulnerability via the app_id parameter in zb_users/plugin/AppCentre/plugin_edit.php. The component must be accessed directly by an administrator or via CSRF. Root cause: improper handling of the app_id input enabling script i...
CVE-2018-9153
The CVE concerns Z-BlogPHP 1.5.1. The plugin upload component enables remote PHP code execution via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php due to an unanchored regular expression. Access must be direct by an administrator or via CSRF. This is a distinct issue from CVE-2...
Z-BlogPHP Cross-Site Request Forgery Vulnerability
Z-BlogPHP is a powerful blogging program. A cross-site request forgery vulnerability exists in pluginedit.php in Z-BlogPHP 1.5.1 Zero. An attacker can exploit this vulnerability to execute arbitrary PHP code...
CVE-2018-8893
Z-BlogPHP 1.5.1 Zero has CSRF in pluginedit.php, resulting in the ability to execute arbitrary PHP code...
Cross site request forgery (csrf)
Z-BlogPHP 1.5.1 Zero has CSRF in pluginedit.php, resulting in the ability to execute arbitrary PHP code...
CVE-2018-8893
Z-BlogPHP 1.5.1 Zero has CSRF in pluginedit.php, resulting in the ability to execute arbitrary PHP code...
CVE-2018-8893
Z-BlogPHP 1.5.1 Zero contains a CSRF flaw in plugin_edit.php that can lead to remote arbitrary PHP code execution. Affected component: plugin_edit.php within Z-BlogPHP 1.5.1 Zero. Root cause: cross-site request forgery enabling code execution (as described in CVE-2018-8893). The connected documen...
CVE-2018-8893
Z-BlogPHP 1.5.1 Zero has CSRF in pluginedit.php, resulting in the ability to execute arbitrary PHP code...
Z-BlogPHP Website Physical Path Disclosure Vulnerability
Z-BlogPHP is an open source PHP-based blogging system developed by the Z-Blog community. A security vulnerability exists in Z-BlogPHP version 1.5.1.1740. An attacker can exploit the vulnerability to obtain a physical path...
Design/Logic Flaw
DISPUTED In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZCBLOGSUBNAME parameter or ZCUPLOADFILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability...
Design/Logic Flaw
DISPUTED In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as demonstrated by adminfooter.php or adminfooter.php. NOTE: the software maintainer disputes that this is a vulnerability...
CVE-2018-7736
In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZCBLOGSUBNAME parameter or ZCUPLOADFILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability...
CVE-2018-7737
In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as demonstrated by adminfooter.php or adminfooter.php. NOTE: the software maintainer disputes that this is a vulnerability...
CVE-2018-7737
Z-BlogPHP 1.5.1.1740 has a reported Web Site physical path leakage vulnerability. The issue is described as path disclosure affecting admin/footer and related admin files, with the maintainer disputing it as a vulnerability. Public PoCs/Exploits exist (e.g., Exploit-DB, PacketStorm, Exploit packs...
CVE-2018-7736
Z-BlogPHP 1.5.1.1740 has an XSS issue in cmd.php exploitable via ZC_BLOG_SUBNAME or ZC_UPLOAD_FILETYPE (observed payloads demonstrate client-side script injection). The CVE entry notes the maintainer disputes this as a vulnerability. Connected sources (Exploit-DB, 1337DAY, PacketStorm) describe w...
CVE-2018-7736
In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZCBLOGSUBNAME parameter or ZCUPLOADFILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability...
CVE-2018-7737
In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as demonstrated by adminfooter.php or adminfooter.php. NOTE: the software maintainer disputes that this is a vulnerability...
PT-2018-18248 · Z Blogphp · Z-Blogphp
Name of the Vulnerable Software and Affected Versions: Z-BlogPHP version 1.5.1.1740 Description: There is a potential issue in Z-BlogPHP where the physical path of the web site may be leaked, as demonstrated by accessing certain files such as admin footer.php. However, it's noted that the softwar...
Path traversal
Z-BlogPHP 1.5.1 allows remote attackers to discover the full path via a direct request to zbsystem/function/lib/upload.php...