CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2021-32605
https://notcve.org/view.php?id=CVE-2021-32605
11 May 2021 — zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an "if" "end if" block. zzzcms zzzphp versiones anteriores a 2.0.4, permite a atacantes remotos ejecutar comandos arbitrarios del Sistema Operativo al colocarlos en el parámetro keys de un URI ?location=search, como es demostrado por un comando del Sistema Operativo dentro de un bloque "if" "end if" • http://www.zzzcms.com/a/news/31_282_1.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-9182
https://notcve.org/view.php?id=CVE-2019-9182
26 Feb 2019 — There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter. Hay Cross-Site Request Forgery (CSRF) en ZZZCMS zzzphp V1.6.1 mediante una petición en /admin015/save.php?act=editfile. • http://www.iwantacve.cn/index.php/archives/119 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.3EPSS: 97%CPEs: 3EXPL: 6CVE-2019-9082 – ThinkPHP Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-9082
24 Feb 2019 — ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. ThinkPHP, en versiones anteriores a la 3.2.4, tal y como se emplea en Open Source BMS v1.1.1 y otros productos, permite la ejecución remota de comandos mediante public//?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=, seguido por el co... • https://packetstorm.news/files/id/151967 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function •
CVSS: 7.2EPSS: 4%CPEs: 1EXPL: 2CVE-2019-9041 – zzzphp CMS 1.6.1 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-9041
23 Feb 2019 — An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring. Se ha descubierto un problema en ZZZCMS zzzphp V1.6.1. En el archivo inc/zzz_template.php, el filtrado de la función parserIfLabel() no es estricto, lo que resulta en la ejecución de código PHP, tal y como queda demostrado por la subcadena if:assert. ZZZPHP CMS version 1.6.1 suffers from a remot... • https://packetstorm.news/files/id/151824 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •