Zzcms Security Vulnerabilities and Issues — Page 2 of Zzcms CVE List

A reflected cross-site scripting (XSS) vulnerability in the component dl_liuyan_save.php of ZZCMS v2023 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.

4.7CVSS6.2AI score0.00138EPSS

CVE•added 2024/08/19 6:15 p.m.•38 views

CVE-2024-7924

A vulnerability was found in ZZCMS 2023. It has been declared as critical. This vulnerability affects unknown code of the file /I/list.php. The manipulation of the argument skin leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be us...

7.5CVSS5.5AI score0.00663EPSS

Web

CVE•added 2024/08/19 6:15 p.m.•38 views

CVE-2024-7925

A vulnerability was found in ZZCMS 2023. It has been rated as problematic. This issue affects some unknown processing of the file 3/E_bak5.1/upload/eginfo.php. The manipulation of the argument phome with the input ShowPHPInfo leads to information disclosure. The attack may be initiated remotely. Th...

7.5CVSS4.5AI score0.00044EPSS

Web

CVE•added 2018/07/02 3:29 p.m.•37 views

CVE-2018-13056

An issue was discovered on zzcms 8.3. There is a vulnerability at /user/del.php that can delete any file by placing its relative path into the zzcms_main table and then making an img add request. This can be leveraged for database access by deleting install.lock.

7.5CVSS7.5AI score0.00237EPSS

Web

CVE•added 2018/08/06 3:29 p.m.•37 views

CVE-2018-14962

zzcms 8.3 has stored XSS related to the content variable in user/manage.php and zt/show.php.

5.4CVSS5.2AI score0.00206EPSS

Web

CVE•added 2018/09/17 6:29 a.m.•37 views

CVE-2018-17136

zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header.

9.8CVSS9.7AI score0.00264EPSS

Web

CVE•added 2021/12/09 4:15 p.m.•37 views

CVE-2021-40280

An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.

7.2CVSS7.4AI score0.00274EPSS

Web

CVE•added 2024/08/16 8:15 p.m.•37 views

CVE-2024-43011

An arbitrary file deletion vulnerability exists in the admin/del.php file at line 62 in ZZCMS 2023 and earlier. Due to insufficient validation and sanitization of user input for file paths, an attacker can exploit this vulnerability by using directory traversal techniques to delete arbitrary files ...

4.9CVSS7.3AI score0.00889EPSS

Web

CVE•added 2024/09/04 4:15 p.m.•37 views

CVE-2024-44817

SQL Injection vulnerability in ZZCMS v.2023 and before allows a remote attacker to obtain sensitive information via the id parameter in the adv2.php component.

8.8CVSS7.8AI score0.00691EPSS

CVE•added 2024/08/19 8:15 p.m.•37 views

CVE-2024-7926

A vulnerability classified as critical has been found in ZZCMS 2023. Affected is an unknown function of the file /admin/about_edit.php?action=modify. The manipulation of the argument skin leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the pu...

7.5CVSS7.3AI score0.00262EPSS

Web

CVE•added 2018/08/20 7:31 p.m.•36 views

CVE-2018-1000653

zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx.

9.8CVSS9.7AI score0.00264EPSS

CVE•added 2018/07/03 7:29 p.m.•36 views

CVE-2018-13116

/user/del.php in zzcms 8.3 allows SQL injection via the tablename parameter after leveraging use of the zzcms_ask table.

9.8CVSS9.8AI score0.00264EPSS

Web

CVE•added 2018/08/06 3:29 p.m.•36 views

CVE-2018-14963

zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI.

8.8CVSS8.7AI score0.00141EPSS

Web

CVE•added 2018/03/24 6:29 p.m.•36 views

CVE-2018-8967

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.

9.8CVSS9.7AI score0.00503EPSS

CVE•added 2018/03/24 6:29 p.m.•36 views

CVE-2018-8968

An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

7.5CVSS7.6AI score0.00752EPSS

Web

CVE•added 2019/07/23 2:15 p.m.•36 views

CVE-2019-1010148

zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution.

9.8CVSS9.6AI score0.00621EPSS

CVE•added 2022/06/02 2:15 p.m.•36 views

CVE-2019-12351

An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma.

9.8CVSS9.8AI score0.00388EPSS

Web

CVE•added 2019/02/24 5:29 p.m.•36 views

CVE-2019-9078

zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT.

5.4CVSS5.3AI score0.00206EPSS

Web

CVE•added 2022/09/22 2:15 p.m.•36 views

CVE-2022-40444

ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server.

5.3CVSS5.2AI score0.00167EPSS

Web

CVE•added 2024/10/23 4:15 p.m.•36 views

CVE-2024-10291

A vulnerability has been found in ZZCMS 2023 and classified as critical. This vulnerability affects the function Ebak_DoExecSQL/Ebak_DotranExecutSQL of the file 3/Ebak5.1/upload/phome.php. The manipulation of the argument phome leads to sql injection. The attack can be initiated remotely. The explo...

9.8CVSS7AI score0.00127EPSS

Web

CVE•added 2019/03/07 11:29 p.m.•35 views

CVE-2018-17414

zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter.

8.8CVSS8.9AI score0.00244EPSS

Web

CVE•added 2018/03/24 6:29 p.m.•35 views

CVE-2018-8965

An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

7.5CVSS7.6AI score0.00814EPSS

Web

CVE•added 2018/04/05 1:29 a.m.•35 views

CVE-2018-9309

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.

9.8CVSS9.7AI score0.00547EPSS

Web

CVE•added 2019/02/17 7:29 p.m.•35 views

CVE-2019-8411

admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal.

7.5CVSS7.5AI score0.01177EPSS

Web

CVE•added 2022/09/22 2:15 p.m.•35 views

CVE-2022-40447

ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php.

7.2CVSS7.2AI score0.00086EPSS

Web

CVE•added 2024/08/16 8:15 p.m.•35 views

CVE-2024-43006

A stored cross-site scripting (XSS) vulnerability exists in ZZCMS2023 in the ask/show.php file at line 21. An attacker can exploit this vulnerability by sending a specially crafted POST request to /user/ask_edit.php?action=add, which includes malicious JavaScript code in the 'content' parameter. Wh...

5.4CVSS5.6AI score0.00077EPSS

Web

CVE•added 2018/08/06 3:29 p.m.•34 views

CVE-2018-14961

dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter.

9.8CVSS9.8AI score0.00264EPSS

Web

CVE•added 2019/03/07 11:29 p.m.•34 views

CVE-2018-17412

zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header.

9.8CVSS9.7AI score0.00307EPSS

Web

CVE•added 2019/03/07 11:29 p.m.•34 views

CVE-2018-17416

A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adclass.php bigclassid parameter.

7.2CVSS7.3AI score0.0026EPSS

Web

CVE•added 2018/10/29 12:29 p.m.•34 views

CVE-2018-18790

An issue was discovered in zzcms 8.3. SQL Injection exists in admin/special_add.php via a zxbigclassid cookie. (This needs an admin user login.)

7.2CVSS7.4AI score0.0026EPSS

Web

CVE•added 2018/03/24 6:29 p.m.•34 views

CVE-2018-8969

An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

7.5CVSS7.6AI score0.00752EPSS

Web

CVE•added 2021/01/11 3:15 p.m.•34 views

CVE-2020-23630

A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection).

8.8CVSS8.9AI score0.00308EPSS

CVE•added 2019/03/07 11:29 p.m.•33 views

CVE-2018-17413

XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2019/07/23 2:15 p.m.•33 views

CVE-2019-1010153

zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php.

9.8CVSS9.6AI score0.00307EPSS

CVE•added 2021/10/14 3:15 p.m.•33 views

CVE-2020-19959

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie.

7.5CVSS7.8AI score0.00403EPSS

Web

CVE•added 2021/10/14 3:15 p.m.•33 views

CVE-2020-19961

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php.

7.5CVSS7.7AI score0.00788EPSS

CVE•added 2021/12/09 5:15 p.m.•33 views

CVE-2021-40281

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.

8.8CVSS9.1AI score0.00257EPSS

CVE•added 2018/10/29 12:29 p.m.•32 views

CVE-2018-18784

An issue was discovered in zzcms 8.3. SQL Injection exists in admin/tagmanage.php via the tabletag parameter. (This needs an admin user login.)

7.2CVSS7.4AI score0.0026EPSS

Web

CVE•added 2018/10/29 12:29 p.m.•32 views

CVE-2018-18789

An issue was discovered in zzcms 8.3. SQL Injection exists in zt/top.php via a Host HTTP header to zt/news.php.

9.8CVSS9.6AI score0.00264EPSS

Web

CVE•added 2018/03/24 6:29 p.m.•32 views

CVE-2018-8966

An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.

7.5CVSS7.7AI score0.00636EPSS

Web

CVE•added 2018/09/30 8:29 p.m.•31 views

CVE-2018-17797

An issue was discovered in zzcms 8.3. user/zssave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

6.5CVSS6.5AI score0.00258EPSS

Web

CVE•added 2021/10/14 3:15 p.m.•31 views

CVE-2020-19957

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page.

7.5CVSS7.7AI score0.00403EPSS

Web

CVE•added 2024/10/23 4:15 p.m.•31 views

CVE-2024-10292

A vulnerability was found in ZZCMS 2023 and classified as critical. This issue affects some unknown processing of the file 3/Ebak5.1/upload/ChangeTable.php. The manipulation of the argument savefilename leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclos...

9.8CVSS6.8AI score0.00241EPSS

Web

CVE•added 2018/10/29 12:29 p.m.•30 views

CVE-2018-18785

An issue was discovered in zzcms 8.3. SQL Injection exists in zs/subzs.php with a zzcmscpid cookie to zs/search.php.

9.8CVSS9.7AI score0.00264EPSS

Web

CVE•added 2018/10/29 12:29 p.m.•29 views

CVE-2018-18786

An issue was discovered in zzcms 8.3. SQL Injection exists in ajax/zs.php via a pxzs cookie.

9.8CVSS9.7AI score0.00264EPSS

Web