Vulnerabilities > Zzzcms

DATE CVE VULNERABILITY TITLE RISK
2021-02-05 CVE-2020-18717 SQL Injection vulnerability in Zzzcms Zzzphp 1.7.1
SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php.
network
low complexity
zzzcms CWE-89
critical
9.8
2020-12-18 CVE-2020-20298 Code Injection vulnerability in Zzzcms Zzzphp 1.7.2
Eval injection vulnerability in the parserCommom method in the ParserTemplate class in zzz_template.php in zzzphp 1.7.2 allows remote attackers to execute arbitrary commands.
network
low complexity
zzzcms CWE-94
critical
9.8
2019-10-14 CVE-2019-17408 Code Injection vulnerability in Zzzcms Zzzphp 1.7.3
parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.
network
low complexity
zzzcms CWE-94
critical
9.8
2019-09-23 CVE-2019-16722 Unspecified vulnerability in Zzzcms Zzzphp 1.7.2
ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation.
network
low complexity
zzzcms
critical
9.8
2019-09-23 CVE-2019-16720 Unrestricted Upload of File with Dangerous Type vulnerability in Zzzcms Zzzphp 1.7.2
ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file.
network
low complexity
zzzcms CWE-434
7.5
2019-03-30 CVE-2019-10647 Unrestricted Upload of File with Dangerous Type vulnerability in Zzzcms Zzzphp 1.6.3
ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions.
network
low complexity
zzzcms CWE-434
critical
9.8
2019-02-26 CVE-2019-9182 Cross-Site Request Forgery (CSRF) vulnerability in Zzzcms Zzzphp 1.6.1
There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request.
network
low complexity
zzzcms CWE-352
8.8
2019-02-24 CVE-2019-9082 Missing Authentication for Critical Function vulnerability in multiple products
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
network
low complexity
thinkphp opensourcebms zzzcms CWE-306
8.8
2019-02-23 CVE-2019-9041 Expression Language Injection vulnerability in Zzzcms Zzzphp 1.6.1
An issue was discovered in ZZZCMS zzzphp V1.6.1.
network
low complexity
zzzcms CWE-917
7.2
2018-12-13 CVE-2018-20127 Improper Input Validation vulnerability in Zzzcms Zzzphp 1.5.8
An issue was discovered in zzzphp cms 1.5.8.
network
low complexity
zzzcms CWE-20
7.5