Zzzphp Security Vulnerabilities and Issues — Zzzphp CVE List

Lucene search

ZzzcmsZzzphp

14 matches found

CVE•added 2019/02/24 6:29 p.m.•1188 views

CVE-2019-9082

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

9.3CVSS8.7AI score0.94149EPSS

CVE•added 2022/03/23 9:15 p.m.•102 views

CVE-2022-23881

ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php.

9.8CVSS9.7AI score0.86657EPSS

CVE•added 2019/02/23 6:29 p.m.•85 views

CVE-2019-9041

An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.

7.2CVSS7.1AI score0.85674EPSS

CVE•added 2021/05/11 11:15 p.m.•73 views

CVE-2021-32605

zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an "if" "end if" block.

9.8CVSS9.8AI score0.21913EPSS

CVE•added 2020/12/18 7:15 p.m.•62 views

CVE-2020-20298

Eval injection vulnerability in the parserCommom method in the ParserTemplate class in zzz_template.php in zzzphp 1.7.2 allows remote attackers to execute arbitrary commands.

9.8CVSS9.6AI score0.06441EPSS

CVE•added 2023/10/18 11:15 p.m.•49 views

CVE-2023-45909

zzzcms v2.2.0 was discovered to contain an open redirect vulnerability.

6.1CVSS6.3AI score0.00066EPSS

CVE•added 2019/10/14 12:15 p.m.•40 views

CVE-2019-17408

parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.

9.8CVSS9.6AI score0.01969EPSS

CVE•added 2019/09/23 2:15 p.m.•39 views

CVE-2019-16720

ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file.

7.5CVSS7.5AI score0.00282EPSS

CVE•added 2019/03/30 1:29 p.m.•38 views

CVE-2019-10647

ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if t...

9.8CVSS9.5AI score0.00806EPSS

CVE•added 2019/09/23 2:15 p.m.•37 views

CVE-2019-16722

ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation.

9.8CVSS9.5AI score0.03559EPSS

CVE•added 2021/03/15 5:15 p.m.•30 views

CVE-2020-24877

A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass.

9.8CVSS9.6AI score0.00546EPSS

CVE•added 2019/02/26 7:29 a.m.•28 views

CVE-2019-9182

There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter.

8.8CVSS8.8AI score0.00145EPSS

CVE•added 2018/12/13 8:29 a.m.•27 views

CVE-2018-20127

An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.

7.5CVSS7.5AI score0.00768EPSS

CVE•added 2021/02/05 2:15 p.m.•26 views

CVE-2020-18717

SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php.

9.8CVSS9.8AI score0.07212EPSS