ZZcms - Cross-Site Scripting

ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks. id: CVE-2020-20285 info: name: ZZcms -...

ZZCMS 2022 - Path Information Disclosure

An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request. id: CVE-2022-40443 info: name: ZZCMS 2022 - Path Information Disclosure author: ritikchaddha severity: low description: | An absolute path traversal vulnerability in...

CVE-2023-50104

ZZCMS 2023 has a file upload vulnerability in 3/Ebak5.1/upload/index.php, allowing attackers to exploit this loophole to gain server privileges and execute arbitrary code...

CVE-2018-1000653

zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx...

CVE-2019-12356

An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dlsdownload.php when the attacker has dlsdownload authority via the id parameter...

CVE-2019-12352

An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dlsendmail.php when the attacker has dlsprint authority via a dlid cookie...

CVE-2019-12348

An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter...

CVE-2019-12357

An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php when the attacker has admin authority via the id parameter...

CVE-2019-12353

An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dlsendmail.php when the attacker has admin authority via the id parameter...

CVE-2019-12355

An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dlsprint.php when the attacker has dlsprint authority via the id parameter...

CVE-2025-14836

A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/usersave.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is possible. The exploit has...

CVE-2025-14837

A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has bee...

CVE-2025-14837

A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has bee...

CVE-2025-14837

A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has bee...

ZZCMS 代码注入漏洞

ZZCMS is a content management system CMS from the China ZZCMS team. A code injection vulnerability exists in ZZCMS version 2025, which stems from incorrect manipulation of the parameter icp in the back-end site settings module file /admin/siteconfig.php, which may lead to code injection...

EUVD-2025-204005

A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has bee...

CVE-2025-14837 ZZCMS Backend Website Settings siteconfig.php stripfxg code injection

A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has bee...

CVE-2025-14837 ZZCMS Backend Website Settings siteconfig.php stripfxg code injection

A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has bee...

CVE-2025-14837

ZZCMS 2025 has a code injection vulnerability in the Backend Website Settings Module. The stripfxg function in /admin/siteconfig.php mishandles the icp argument, enabling remote code execution. Exploit has been publicly disclosed. Affected: ZZCMS 2025; file: /admin/siteconfig.php; function: strip...

CVE-2025-14836

A flaw has been found in ZZCMS 2025. Affected by this vulnerability is an unknown functionality of the file /reg/usersave.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. Remote exploitation of the attack is possible. The exploit has...