Vulnerabilities > CVE-2019-9041 - Expression Language Injection vulnerability in Zzzcms Zzzphp 1.6.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| file | exploits/php/webapps/46454.txt |
| id | EDB-ID:46454 |
| last seen | 2019-02-25 |
| modified | 2019-02-25 |
| platform | php |
| port | |
| published | 2019-02-25 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/46454 |
| title | zzzphp CMS 1.6.1 - Remote Code Execution |
| type | webapps |
Packetstorm
data source https://packetstormsecurity.com/files/download/151967/zzzphp161-xsrf.txt id PACKETSTORM:151967 last seen 2019-03-05 published 2019-03-04 reporter Yang Chenglong source https://packetstormsecurity.com/files/151967/zzzphp-CMS-1.6.1-Cross-Site-Request-Forgery.html title zzzphp CMS 1.6.1 Cross Site Request Forgery data source https://packetstormsecurity.com/files/download/151824/zzzphpcms161-exec.txt id PACKETSTORM:151824 last seen 2019-02-26 published 2019-02-25 reporter Yang Chenglong source https://packetstormsecurity.com/files/151824/ZZZPHP-CMS-1.6.1-Remote-Code-Execution.html title ZZZPHP CMS 1.6.1 Remote Code Execution