CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000653
https://notcve.org/view.php?id=CVE-2018-1000653
20 Aug 2018 — zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx. zzcms en versiones 8.3 y anteriores contiene una vulnerabilidad de inyección SQL en la línea 5 de zt/top.php que puede resultar en una inyección SQL en zzcms en nginx. Este ataque parece ser explotable ejecutando zzcms en nginx. • https://gist.github.com/Lz1y/3388fa886a3e10edd2a7e93d3c3e5b6c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14962
https://notcve.org/view.php?id=CVE-2018-14962
06 Aug 2018 — zzcms 8.3 has stored XSS related to the content variable in user/manage.php and zt/show.php. zzcms 8.3 tiene Cross-Site Scripting persistente relacionado con la variable content en user/manage.php y zt/show.php. • https://github.com/AvaterXXX/ZZCMS/blob/master/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-14961
https://notcve.org/view.php?id=CVE-2018-14961
06 Aug 2018 — dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter. dl/dl_sendmail.php en zzcms 8.3 tiene una inyección SQL mediante el parámetro sql. • https://blog.csdn.net/weixin_42813492/article/details/81240523 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14963
https://notcve.org/view.php?id=CVE-2018-14963
06 Aug 2018 — zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI. zzcms 8.3 tiene Cross-Site Request Forgery (CSRF) mediante el URI admin/adminadd.php?action=add. • https://github.com/AvaterXXX/ZZCMS/blob/master/README.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13116
https://notcve.org/view.php?id=CVE-2018-13116
03 Jul 2018 — /user/del.php in zzcms 8.3 allows SQL injection via the tablename parameter after leveraging use of the zzcms_ask table. /user/del.php en zzcms 8.3 permite la inyección SQL mediante el parámetro tablename después de usar la tabla zzcms_ask. • https://github.com/actionyz/ZZCMS/blob/master/SQL/1/del.php.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-13056
https://notcve.org/view.php?id=CVE-2018-13056
02 Jul 2018 — An issue was discovered on zzcms 8.3. There is a vulnerability at /user/del.php that can delete any file by placing its relative path into the zzcms_main table and then making an img add request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.3. Hay una vulnerabilidad en /user/del.php que puede eliminar cualquier archivo colocando su ruta relativa en la tabla principal de zzcms_main y luego haciendo una petición img add. • https://github.com/actionyz/ZZCMS/blob/master/del.php.md • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9331
https://notcve.org/view.php?id=CVE-2018-9331
07 Apr 2018 — An issue was discovered in zzcms 8.2. user/adv.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.2, en user/adv.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro oldimg. Esto se puede aprovechar para conseguir acceso a bases de datos mediante la eliminación de i... • https://github.com/cherryla/zzcms/blob/master/adv.php.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9309
https://notcve.org/view.php?id=CVE-2018-9309
05 Apr 2018 — An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request. Se ha descubierto un problema en zzcms 8.2. Permite la inyección SQL mediante el parámetro id en una petición dl/dl_sendsms.php. • https://github.com/lihonghuyang/vulnerability/blob/master/dl_sendsms.php.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8968
https://notcve.org/view.php?id=CVE-2018-8968
24 Mar 2018 — An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.2, en user/manage.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en los parámetros oldimg o oldflv, en una petición action=modify. Esto s... • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/manage.php.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8969
https://notcve.org/view.php?id=CVE-2018-8969
24 Mar 2018 — An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.2, en user/licence_save.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro oldimg, en una petición action=modify. Esto se puede a... • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/licence_save.php.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •