Latest zzcms zzcms Vulnerabilities

CVE-2023-50104
ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this loophole to gain server privileges and execute arbitrary code.
Zzcms Zzcms=2023
CVE-2023-42398
An issue in zzCMS v.2023 allows a remote attacker to execute arbitrary code and obtain sensitive information via the ueditor component in controller.php.
Zzcms Zzcms=2023
CVE-2023-36162
Cross Site Request Forgery vulnerability in ZZCMS v.2023 and earlier allows a remote attacker to gain privileges via the add function in adminlist.php.
Zzcms Zzcms=2023
CVE-2022-44361
An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php.
Zzcms Zzcms=2022
CVE-2022-40443
An absolute path traversal vulnerability in ZZCMS 2022 allows attackers to obtain sensitive information via a crafted GET request sent to /one/siteinfo.php.
Zzcms Zzcms=2022
CVE-2022-40447
ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php.
Zzcms Zzcms=2022
CVE-2022-40444
ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server.
Zzcms Zzcms=2022
CVE-2022-40446
ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=.
Zzcms Zzcms=2022
CVE-2019-12356
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_download.php (when the attacker has dls_download authority) via the id parameter.
Zzcms Zzcms=2019
CVE-2019-12358
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendsms.php (when the attacker has dls_print authority) via a dlid cookie.
Zzcms Zzcms=2019
CVE-2019-12359
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter.
Zzcms Zzcms=2019
CVE-2019-12354
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter.
Zzcms Zzcms=2019
CVE-2019-12355
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_print.php (when the attacker has dls_print authority) via the id parameter.
Zzcms Zzcms=2019
CVE-2019-12352
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie.
Zzcms Zzcms=2019
CVE-2019-12350
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_download.php via an id parameter value with a trailing comma.
Zzcms Zzcms=2019
CVE-2019-12349
An issue was discovered in zzcms 2019. SQL Injection exists in /admin/dl_sendsms.php via the id parameter.
Zzcms Zzcms=2019
CVE-2019-12351
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma.
Zzcms Zzcms=2019
CVE-2021-46436
An issue was discovered in ZZCMS 2021. There is a SQL injection vulnerability in ad_manage.php.
Zzcms Zzcms=2021
CVE-2021-46437
An issue was discovered in ZZCMS 2021. There is a cross-site scripting (XSS) vulnerability in ad_manage.php.
Zzcms Zzcms=2021
CVE-2021-45286
Directory Traversal vulnerability exists in ZZCMS 2021 via the skin parameter in 1) index.php, 2) bottom.php, and 3) top_index.php.
Zzcms Zzcms=2021
CVE-2021-42945
A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclassid parameter in /admin/ask.php.
Zzcms Zzcms=2021
CVE-2020-19042
Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php.
Zzcms Zzcms=2019
CVE-2021-43703
An Incorrect Access Control vulnerability exists in zzcms less than or equal to 2019 via admin.php. After disabling JavaScript, you can directly access the administrator console.
Zzcms Zzcms<=2019
CVE-2021-40281
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.
Zzcms Zzcms=8.2
Zzcms Zzcms=8.3
Zzcms Zzcms=2020
Zzcms Zzcms=2021
CVE-2021-40282
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.
Zzcms Zzcms=8.2
Zzcms Zzcms=8.3
Zzcms Zzcms=2020
Zzcms Zzcms=2021
CVE-2021-40280
An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.
Zzcms Zzcms=8.2
Zzcms Zzcms=8.3
Zzcms Zzcms=2020
Zzcms Zzcms=2021
CVE-2021-40279
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.
Zzcms Zzcms=8.2
Zzcms Zzcms=8.3
Zzcms Zzcms=2020
Zzcms Zzcms=2021
CVE-2020-19959
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie.
Zzcms Zzcms=2019
CVE-2020-19961
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php.
Zzcms Zzcms=2019
CVE-2020-19957
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page.
Zzcms Zzcms=2019
CVE-2020-19960
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendsms.php page cookie.
Zzcms Zzcms=2019
CVE-2020-19822
A remote code execution (RCE) vulnerability in template_user.php of ZZCMS version 2018 allows attackers to execute arbitrary PHP code via the "ml" and "title" parameters.
Zzcms Zzcms=2018
CVE-2020-35973
An issue was discovered in zzcms2020. There is a XSS vulnerability that can insert and execute JS code arbitrarily via /user/manage.php.
Zzcms Zzcms=2020
CVE-2020-21342
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
Zzcms Zzcms=201910
CVE-2020-23426
zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF.
Zzcms Zzcms=201910
CVE-2020-23630
A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection).
Zzcms Zzcms=201910
CVE-2020-20285
There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
Zzcms Zzcms=2019
CVE-2019-1010149
Zzcms Zzcms<=8.3
CVE-2019-1010148
zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution.
Zzcms Zzcms<=8.3
CVE-2019-1010150
zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: /user/zssave.php.
Zzcms Zzcms<=8.3
CVE-2018-17414
zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter.
Zzcms Zzcms=8.3
CVE-2018-17412
zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header.
Zzcms Zzcms=8.3
CVE-2018-17415
zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter.
Zzcms Zzcms=8.3
CVE-2018-17416
A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adclass.php bigclassid parameter.
Zzcms Zzcms=8.3
CVE-2018-17413
XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter.
Zzcms Zzcms=8.3
CVE-2019-9078
zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT.
Zzcms Zzcms=2019
CVE-2019-8411
admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal.
Zzcms Zzcms=2018
CVE-2018-18787
An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs.php via a pxzs cookie.
Zzcms Zzcms=8.3
CVE-2018-18791
An issue was discovered in zzcms 8.3. SQL Injection exists in zs/search.php via a pxzs cookie.
Zzcms Zzcms=8.3
CVE-2018-18788
An issue was discovered in zzcms 8.3. SQL Injection exists in admin/classmanage.php via the tablename parameter. (This needs an admin user login.)
Zzcms Zzcms=8.3

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203