CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52724
https://notcve.org/view.php?id=CVE-2024-52724
02 Dec 2024 — ZZCMS 2023 was discovered to contain a SQL injection vulnerability in /q/show.php. Se descubrió que ZZCMS 2023 contiene una vulnerabilidad de inyección SQL en /q/show.php. • https://gist.github.com/npubaishao/768b638ab16b7da6478d028aeb25bbbc • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11242 – ZZCMS Keyword Filtering ad_list.php sql injection
https://notcve.org/view.php?id=CVE-2024-11242
15 Nov 2024 — A vulnerability was found in ZZCMS 2023. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/ad_list.php?action=pass of the component Keyword Filtering. The manipulation of the argument keyword leads to sql injection. • https://github.com/En0t5/vul/blob/main/zzcms/zzcms-add_list-sql-inject.md • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10293 – ZZCMS functions.php Ebak_SetGotoPak unrestricted upload
https://notcve.org/view.php?id=CVE-2024-10293
23 Oct 2024 — A vulnerability was found in ZZCMS 2023. It has been classified as critical. Affected is the function Ebak_SetGotoPak of the file 3/Ebbak5.1/upload/class/functions.php. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. • https://github.com/LvZCh/zzcms2023/issues/6 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10292 – ZZCMS ChangeTable.php unrestricted upload
https://notcve.org/view.php?id=CVE-2024-10292
23 Oct 2024 — A vulnerability was found in ZZCMS 2023 and classified as critical. This issue affects some unknown processing of the file 3/Ebak5.1/upload/ChangeTable.php. The manipulation of the argument savefilename leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/LvZCh/zzcms2023/issues/5 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10291 – ZZCMS phome.php Ebak_DotranExecutSQL sql injection
https://notcve.org/view.php?id=CVE-2024-10291
23 Oct 2024 — A vulnerability has been found in ZZCMS 2023 and classified as critical. This vulnerability affects the function Ebak_DoExecSQL/Ebak_DotranExecutSQL of the file 3/Ebak5.1/upload/phome.php. The manipulation of the argument phome leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/LvZCh/zzcms2023/issues/3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44818
https://notcve.org/view.php?id=CVE-2024-44818
04 Sep 2024 — Cross Site Scripting vulnerability in ZZCMS v.2023 and before allows a remote attacker to obtain sensitive information via the HTTP_Referer header of the caina.php component. • https://github.com/gkdgkd123/codeAudit/blob/main/CVE-2024-44818%20ZZCMS2023%E5%8F%8D%E5%B0%84%E5%9E%8BXSS3.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44820
https://notcve.org/view.php?id=CVE-2024-44820
04 Sep 2024 — A sensitive information disclosure vulnerability exists in ZZCMS v.2023 and before within the eginfo.php file located at /3/E_bak5.1/upload/. When accessed with the query parameter phome=ShowPHPInfo, the application executes the phpinfo() function, which exposes detailed information about the PHP environment, including server configuration, loaded modules, and environment variables. • https://github.com/gkdgkd123/codeAudit/blob/main/CVE-2024-44820%20ZZCMS2023%20phpinfo%E6%B3%84%E9%9C%B2.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44817
https://notcve.org/view.php?id=CVE-2024-44817
04 Sep 2024 — SQL Injection vulnerability in ZZCMS v.2023 and before allows a remote attacker to obtain sensitive information via the id parameter in the adv2.php component. • https://github.com/gkdgkd123/codeAudit/blob/main/CVE-2024-44817%20ZZCMS2023SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44821
https://notcve.org/view.php?id=CVE-2024-44821
04 Sep 2024 — ZZCMS 2023 contains a vulnerability in the captcha reuse logic located in /inc/function.php. The checkyzm function does not properly refresh the captcha value after a failed validation attempt. As a result, an attacker can exploit this flaw by repeatedly submitting the same incorrect captcha response, allowing them to capture the correct captcha value through error messages. • https://github.com/gkdgkd123/codeAudit/blob/main/CVE-2024-44821%20ZZCMS2023%20%E9%AA%8C%E8%AF%81%E7%A0%81%E5%A4%8D%E7%94%A8%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E.md • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44819
https://notcve.org/view.php?id=CVE-2024-44819
04 Sep 2024 — Cross Site Scripting vulnerability in ZZCMS v.2023 and before allows a remote attacker to obtain sensitive information via a crafted script to the pagename parameter of the admin/del.php component. • https://github.com/gkdgkd123/codeAudit/blob/main/CVE-2024-44819%20ZZCMS2023%E5%8F%8D%E5%B0%84%E5%9E%8BXSS4.md •