CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18792
https://notcve.org/view.php?id=CVE-2018-18792
29 Oct 2018 — An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs_list.php via a pxzs cookie. Se ha descubierto un problema en zzcms 8.3. Existe inyección SQL en zs/zs_list.php mediante una cookie pxzs. • https://github.com/qiubaoyang/CVEs/blob/master/zzcms/zzcms.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18789
https://notcve.org/view.php?id=CVE-2018-18789
29 Oct 2018 — An issue was discovered in zzcms 8.3. SQL Injection exists in zt/top.php via a Host HTTP header to zt/news.php. Se ha descubierto un problema en zzcms 8.3. Existe una inyección SQL en zt/top.php mediante una cabecera Host HTTP en zt/news.php. • https://github.com/qiubaoyang/CVEs/blob/master/zzcms/zzcms.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18784
https://notcve.org/view.php?id=CVE-2018-18784
29 Oct 2018 — An issue was discovered in zzcms 8.3. SQL Injection exists in admin/tagmanage.php via the tabletag parameter. (This needs an admin user login.) Se ha descubierto un problema en zzcms 8.3. Existe una inyección SQL en admin/tagmanage.php mediante el parámetro tabletag. • https://github.com/qiubaoyang/CVEs/blob/master/zzcms/zzcms.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18790
https://notcve.org/view.php?id=CVE-2018-18790
29 Oct 2018 — An issue was discovered in zzcms 8.3. SQL Injection exists in admin/special_add.php via a zxbigclassid cookie. (This needs an admin user login.) Se ha descubierto un problema en zzcms 8.3. Existe inyección SQL en admin/special_add.php mediante una cookie zxbigclassid. • https://github.com/qiubaoyang/CVEs/blob/master/zzcms/zzcms.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18788
https://notcve.org/view.php?id=CVE-2018-18788
29 Oct 2018 — An issue was discovered in zzcms 8.3. SQL Injection exists in admin/classmanage.php via the tablename parameter. (This needs an admin user login.) Se ha descubierto un problema en zzcms 8.3. Existe una inyección SQL en admin/classmanage.php mediante el parámetro tablename. • https://github.com/qiubaoyang/CVEs/blob/master/zzcms/zzcms.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17797
https://notcve.org/view.php?id=CVE-2018-17797
30 Sep 2018 — An issue was discovered in zzcms 8.3. user/zssave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.3, en user/zssave.php que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro oldimg, en una petición action=modify. Esto se puede aprovechar par... • https://github.com/seedis/zzcms/blob/master/arbitrary_file_deletion1.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17798
https://notcve.org/view.php?id=CVE-2018-17798
30 Sep 2018 — An issue was discovered in zzcms 8.3. user/ztconfig.php allows remote attackers to delete arbitrary files via an absolute pathname in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.3, en user/ztconfig.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante un nombre de ruta absoluto en el parámetro oldimg, en una petición action=modify. Esto se puede aprovechar para conseguir... • https://github.com/seedis/zzcms/blob/master/arbitrary_file_deletion2.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17136
https://notcve.org/view.php?id=CVE-2018-17136
17 Sep 2018 — zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header. zzcms 8.3 contiene una vulnerabilidad de inyección SQL en /user/check.php mediante una cabecera HTTP Client-Ip. • https://github.com/TEag1e/zzcms • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-16344
https://notcve.org/view.php?id=CVE-2018-16344
02 Sep 2018 — An issue was discovered in zzcms 8.3. It allows remote attackers to delete arbitrary files via directory traversal sequences in the flv parameter. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.3. Permite que los atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro flv. • https://github.com/cumtxujiabin/CmsPoc/blob/master/zzcms_8.3_file_del.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000653
https://notcve.org/view.php?id=CVE-2018-1000653
20 Aug 2018 — zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx. zzcms en versiones 8.3 y anteriores contiene una vulnerabilidad de inyección SQL en la línea 5 de zt/top.php que puede resultar en una inyección SQL en zzcms en nginx. Este ataque parece ser explotable ejecutando zzcms en nginx. • https://gist.github.com/Lz1y/3388fa886a3e10edd2a7e93d3c3e5b6c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •