CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13056
https://notcve.org/view.php?id=CVE-2018-13056
02 Jul 2018 — An issue was discovered on zzcms 8.3. There is a vulnerability at /user/del.php that can delete any file by placing its relative path into the zzcms_main table and then making an img add request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.3. Hay una vulnerabilidad en /user/del.php que puede eliminar cualquier archivo colocando su ruta relativa en la tabla principal de zzcms_main y luego haciendo una petición img add. • https://github.com/actionyz/ZZCMS/blob/master/del.php.md • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9331
https://notcve.org/view.php?id=CVE-2018-9331
07 Apr 2018 — An issue was discovered in zzcms 8.2. user/adv.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.2, en user/adv.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro oldimg. Esto se puede aprovechar para conseguir acceso a bases de datos mediante la eliminación de i... • https://github.com/cherryla/zzcms/blob/master/adv.php.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9309
https://notcve.org/view.php?id=CVE-2018-9309
05 Apr 2018 — An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request. Se ha descubierto un problema en zzcms 8.2. Permite la inyección SQL mediante el parámetro id en una petición dl/dl_sendsms.php. • https://github.com/lihonghuyang/vulnerability/blob/master/dl_sendsms.php.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8968
https://notcve.org/view.php?id=CVE-2018-8968
24 Mar 2018 — An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.2, en user/manage.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en los parámetros oldimg o oldflv, en una petición action=modify. Esto s... • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/manage.php.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8969
https://notcve.org/view.php?id=CVE-2018-8969
24 Mar 2018 — An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.2, en user/licence_save.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro oldimg, en una petición action=modify. Esto se puede a... • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/licence_save.php.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8967
https://notcve.org/view.php?id=CVE-2018-8967
24 Mar 2018 — An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request. Se ha descubierto un problema en zzcms 8.2 que permite la inyección SQL mediante el parámetro id en una petición adv2.php?action=modify. • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/adv2.php.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8965
https://notcve.org/view.php?id=CVE-2018-8965
24 Mar 2018 — An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.2, en user/ppsave.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro oldimg, en una petición action=modify. Esto se puede aprovechar pa... • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/ppsave.php.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8966
https://notcve.org/view.php?id=CVE-2018-8966
24 Mar 2018 — An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php. Se ha descubierto un problema en zzcms 8.2 que permite la inyección de código PHP mediante el parámetro siteurl en install/index.php, como se ha demostrado inyectando una llamada phpinfo() en /inc/config.php. • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/install.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7434
https://notcve.org/view.php?id=CVE-2018-7434
24 Feb 2018 — zzcms 8.2 allows remote attackers to discover the full path via a direct request to 3/qq_connect2.0/API/class/ErrorCase.class.php or 3/ucenter_api/code/friend.php. zzcms 8.2 permite que atacantes remotos descubran la ruta completa mediante una petición directa a 3/qq_connect2.0/API/class/ErrorCase.class.php o 3/ucenter_api/code/friend.php. • https://github.com/kongxin520/zzcms/blob/master/zzcms_8.2_bug.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •