CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2021-32605
https://notcve.org/view.php?id=CVE-2021-32605
11 May 2021 — zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an "if" "end if" block. zzzcms zzzphp versiones anteriores a 2.0.4, permite a atacantes remotos ejecutar comandos arbitrarios del Sistema Operativo al colocarlos en el parámetro keys de un URI ?location=search, como es demostrado por un comando del Sistema Operativo dentro de un bloque "if" "end if" • http://www.zzzcms.com/a/news/31_282_1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20127
https://notcve.org/view.php?id=CVE-2018-20127
13 Dec 2018 — An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds. Se ha descubierto un problema en zzzphp cms 1.5.8. del_file en /admin/save.php permite que atacantes remotos eliminen archivos arbitrarios mediante una extensión con mayúsculas y minúsculas y un carácter "." extra. Esto se debe a que, por ejemplo, "php" se bloquea, ... • http://www.iwantacve.cn/index.php/archives/89 • CWE-20: Improper Input Validation •