CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8967
https://notcve.org/view.php?id=CVE-2018-8967
24 Mar 2018 — An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request. Se ha descubierto un problema en zzcms 8.2 que permite la inyección SQL mediante el parámetro id en una petición adv2.php?action=modify. • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/adv2.php.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8965
https://notcve.org/view.php?id=CVE-2018-8965
24 Mar 2018 — An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. Se ha descubierto un problema en zzcms 8.2, en user/ppsave.php, que permite que atacantes remotos eliminen archivos arbitrarios mediante secuencias de salto de directorio en el parámetro oldimg, en una petición action=modify. Esto se puede aprovechar pa... • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/ppsave.php.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8966
https://notcve.org/view.php?id=CVE-2018-8966
24 Mar 2018 — An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php. Se ha descubierto un problema en zzcms 8.2 que permite la inyección de código PHP mediante el parámetro siteurl en install/index.php, como se ha demostrado inyectando una llamada phpinfo() en /inc/config.php. • https://github.com/Ni9htMar3/vulnerability/blob/master/zzcms_8.2/install.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7434
https://notcve.org/view.php?id=CVE-2018-7434
24 Feb 2018 — zzcms 8.2 allows remote attackers to discover the full path via a direct request to 3/qq_connect2.0/API/class/ErrorCase.class.php or 3/ucenter_api/code/friend.php. zzcms 8.2 permite que atacantes remotos descubran la ruta completa mediante una petición directa a 3/qq_connect2.0/API/class/ErrorCase.class.php o 3/ucenter_api/code/friend.php. • https://github.com/kongxin520/zzcms/blob/master/zzcms_8.2_bug.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •