Vendor CVEs
Zzcms
All CVEs
120 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-43005 | 0.00 | — | 0.00 | Aug 16, 2024 | A reflected cross-site scripting (XSS) vulnerability in the component dl_liuyan_save.php of ZZCMS v2023 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | |||
| CVE-2024-43011 | 0.00 | — | 0.01 | Aug 16, 2024 | An arbitrary file deletion vulnerability exists in the admin/del.php file at line 62 in ZZCMS 2023 and earlier. Due to insufficient validation and sanitization of user input for file paths, an attacker can exploit this vulnerability by using directory traversal techniques to… | |||
| CVE-2024-43009 | 0.00 | — | 0.00 | Aug 16, 2024 | A reflected cross-site scripting (XSS) vulnerability exists in user/login.php at line 24 in ZZCMS 2023 and earlier. The application directly inserts the value of the HTTP_REFERER header into the HTML response without proper sanitization. An attacker can exploit this… | |||
| CVE-2024-43006 | 0.00 | — | 0.00 | Aug 16, 2024 | A stored cross-site scripting (XSS) vulnerability exists in ZZCMS2023 in the ask/show.php file at line 21. An attacker can exploit this vulnerability by sending a specially crafted POST request to /user/ask_edit.php?action=add, which includes malicious JavaScript code in the… | |||
| CVE-2023-50104 | 0.00 | — | 0.01 | Dec 28, 2023 | ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this loophole to gain server privileges and execute arbitrary code. | |||
| CVE-2023-45555 | 0.00 | — | 0.01 | Oct 24, 2023 | File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker to execute arbitrary code via a crafted file to the down_url function in zzz.php file. | |||
| CVE-2023-45909 | 0.00 | — | 0.00 | Oct 18, 2023 | zzzcms v2.2.0 was discovered to contain an open redirect vulnerability. | |||
| CVE-2023-5582 | 0.00 | — | 0.01 | Oct 14, 2023 | A vulnerability, which was classified as problematic, has been found in ZZZCMS 2.2.0. This issue affects some unknown processing of the component Personal Profile Page. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. The exploit has… | |||
| CVE-2023-5263 | 0.00 | — | 0.01 | Sep 29, 2023 | A vulnerability was found in ZZZCMS 2.1.7 and classified as critical. Affected by this issue is the function restore of the file /admin/save.php of the component Database Backup File Handler. The manipulation leads to permission issues. The attack may be launched remotely. The… | |||
| CVE-2023-36162 | 0.00 | — | 0.00 | Jul 3, 2023 | Cross Site Request Forgery vulnerability in ZZCMS v.2023 and earlier allows a remote attacker to gain privileges via the add function in adminlist.php. | |||
| CVE-2022-44361 | 0.00 | — | 0.00 | Dec 7, 2022 | An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php. | |||
| CVE-2022-40447 | 0.00 | — | 0.01 | Sep 22, 2022 | ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php. | |||
| CVE-2022-40446 | 0.00 | — | 0.01 | Sep 22, 2022 | ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=. | |||
| CVE-2022-40444 | 0.00 | — | 0.01 | Sep 22, 2022 | ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server. | |||
| CVE-2019-12352 | 0.00 | — | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie. | |||
| CVE-2019-12353 | 0.00 | — | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter. | |||
| CVE-2019-12354 | 0.00 | — | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter. | |||
| CVE-2019-12355 | 0.00 | — | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_print.php (when the attacker has dls_print authority) via the id parameter. | |||
| CVE-2019-12356 | 0.00 | — | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_download.php (when the attacker has dls_download authority) via the id parameter. | |||
| CVE-2019-12357 | 0.00 | — | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter. | |||
| CVE-2019-12358 | 0.00 | — | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendsms.php (when the attacker has dls_print authority) via a dlid cookie. | |||
| CVE-2019-12359 | 0.00 | — | 0.01 | Jun 17, 2022 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter. | |||
| CVE-2019-12350 | 0.00 | — | 0.01 | Jun 2, 2022 | An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_download.php via an id parameter value with a trailing comma. | |||
| CVE-2019-12349 | 0.00 | — | 0.01 | Jun 2, 2022 | An issue was discovered in zzcms 2019. SQL Injection exists in /admin/dl_sendsms.php via the id parameter. | |||
| CVE-2019-12351 | 0.00 | — | 0.01 | Jun 2, 2022 | An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma. | |||
| CVE-2022-28521 | 0.00 | — | 0.02 | Apr 26, 2022 | ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config. | |||
| CVE-2021-46437 | 0.00 | — | 0.00 | Apr 8, 2022 | An issue was discovered in ZZCMS 2021. There is a cross-site scripting (XSS) vulnerability in ad_manage.php. | |||
| CVE-2021-46436 | 0.00 | — | 0.01 | Apr 8, 2022 | An issue was discovered in ZZCMS 2021. There is a SQL injection vulnerability in ad_manage.php. | |||
| CVE-2021-45347 | 0.00 | — | 0.01 | Feb 14, 2022 | An Incorrect Access Control vulnerability exists in zzcms 8.2, which lets a malicious user bypass authentication by changing the user name in the cookie to use any password. | |||
| CVE-2021-45286 | 0.00 | — | 0.02 | Feb 9, 2022 | Directory Traversal vulnerability exists in ZZCMS 2021 via the skin parameter in 1) index.php, 2) bottom.php, and 3) top_index.php. | |||
| CVE-2021-42945 | 0.00 | — | 0.01 | Dec 15, 2021 | A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclassid parameter in /admin/ask.php. | |||
| CVE-2020-19042 | 0.00 | — | 0.01 | Dec 13, 2021 | Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php. | |||
| CVE-2020-19683 | 0.00 | — | 0.01 | Dec 9, 2021 | A Cross Site Scripting (XSS) exists in ZZZCMS V1.7.1 via an editfile action in save.php. | |||
| CVE-2020-19682 | 0.00 | — | 0.01 | Dec 9, 2021 | A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7.1 via the save_user funciton in save.php. | |||
| CVE-2021-40282 | 0.00 | — | 0.01 | Dec 9, 2021 | An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users. | |||
| CVE-2021-40281 | 0.00 | — | 0.01 | Dec 9, 2021 | An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users. | |||
| CVE-2021-40280 | 0.00 | — | 0.01 | Dec 9, 2021 | An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php. | |||
| CVE-2021-40279 | 0.00 | — | 0.01 | Dec 9, 2021 | An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php. | |||
| CVE-2020-19957 | 0.00 | — | 0.01 | Oct 14, 2021 | A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page. | |||
| CVE-2020-19961 | 0.00 | — | 0.02 | Oct 14, 2021 | A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php. | |||
| CVE-2020-19822 | 0.00 | — | 0.03 | Aug 26, 2021 | A remote code execution (RCE) vulnerability in template_user.php of ZZCMS version 2018 allows attackers to execute arbitrary PHP code via the "ml" and "title" parameters. | |||
| CVE-2020-21342 | 0.00 | — | 0.01 | May 13, 2021 | Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php. | |||
| CVE-2020-23426 | 0.00 | — | 0.04 | Apr 8, 2021 | zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF. | |||
| CVE-2020-24877 | 0.00 | — | 0.02 | Mar 15, 2021 | A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass. | |||
| CVE-2020-20285 | 0.00 | — | 0.02 | Dec 18, 2020 | There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php | |||
| CVE-2019-17408 | 0.00 | — | 0.04 | Oct 14, 2019 | parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr. | |||
| CVE-2019-16722 | 0.00 | — | 0.03 | Sep 23, 2019 | ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation. | |||
| CVE-2019-16720 | 0.00 | — | 0.01 | Sep 23, 2019 | ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file. | |||
| CVE-2019-1010153 | 0.00 | — | 0.02 | Jul 23, 2019 | zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php. | |||
| CVE-2019-1010152 | 0.00 | — | 0.02 | Jul 23, 2019 | zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: user/manage.php line 31-80. |
- CVE-2024-43005Aug 16, 2024risk 0.00cvss —epss 0.00
A reflected cross-site scripting (XSS) vulnerability in the component dl_liuyan_save.php of ZZCMS v2023 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.
- CVE-2024-43011Aug 16, 2024risk 0.00cvss —epss 0.01
An arbitrary file deletion vulnerability exists in the admin/del.php file at line 62 in ZZCMS 2023 and earlier. Due to insufficient validation and sanitization of user input for file paths, an attacker can exploit this vulnerability by using directory traversal techniques to…
- CVE-2024-43009Aug 16, 2024risk 0.00cvss —epss 0.00
A reflected cross-site scripting (XSS) vulnerability exists in user/login.php at line 24 in ZZCMS 2023 and earlier. The application directly inserts the value of the HTTP_REFERER header into the HTML response without proper sanitization. An attacker can exploit this…
- CVE-2024-43006Aug 16, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability exists in ZZCMS2023 in the ask/show.php file at line 21. An attacker can exploit this vulnerability by sending a specially crafted POST request to /user/ask_edit.php?action=add, which includes malicious JavaScript code in the…
- CVE-2023-50104Dec 28, 2023risk 0.00cvss —epss 0.01
ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this loophole to gain server privileges and execute arbitrary code.
- CVE-2023-45555Oct 24, 2023risk 0.00cvss —epss 0.01
File Upload vulnerability in zzzCMS v.2.1.9 allows a remote attacker to execute arbitrary code via a crafted file to the down_url function in zzz.php file.
- CVE-2023-45909Oct 18, 2023risk 0.00cvss —epss 0.00
zzzcms v2.2.0 was discovered to contain an open redirect vulnerability.
- CVE-2023-5582Oct 14, 2023risk 0.00cvss —epss 0.01
A vulnerability, which was classified as problematic, has been found in ZZZCMS 2.2.0. This issue affects some unknown processing of the component Personal Profile Page. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. The exploit has…
- CVE-2023-5263Sep 29, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in ZZZCMS 2.1.7 and classified as critical. Affected by this issue is the function restore of the file /admin/save.php of the component Database Backup File Handler. The manipulation leads to permission issues. The attack may be launched remotely. The…
- CVE-2023-36162Jul 3, 2023risk 0.00cvss —epss 0.00
Cross Site Request Forgery vulnerability in ZZCMS v.2023 and earlier allows a remote attacker to gain privileges via the add function in adminlist.php.
- CVE-2022-44361Dec 7, 2022risk 0.00cvss —epss 0.00
An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php.
- CVE-2022-40447Sep 22, 2022risk 0.00cvss —epss 0.01
ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php.
- CVE-2022-40446Sep 22, 2022risk 0.00cvss —epss 0.01
ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=.
- CVE-2022-40444Sep 22, 2022risk 0.00cvss —epss 0.01
ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server.
- CVE-2019-12352Jun 17, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie.
- CVE-2019-12353Jun 17, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter.
- CVE-2019-12354Jun 17, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter.
- CVE-2019-12355Jun 17, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_print.php (when the attacker has dls_print authority) via the id parameter.
- CVE-2019-12356Jun 17, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_download.php (when the attacker has dls_download authority) via the id parameter.
- CVE-2019-12357Jun 17, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter.
- CVE-2019-12358Jun 17, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendsms.php (when the attacker has dls_print authority) via a dlid cookie.
- CVE-2019-12359Jun 17, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter.
- CVE-2019-12350Jun 2, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_download.php via an id parameter value with a trailing comma.
- CVE-2019-12349Jun 2, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. SQL Injection exists in /admin/dl_sendsms.php via the id parameter.
- CVE-2019-12351Jun 2, 2022risk 0.00cvss —epss 0.01
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma.
- CVE-2022-28521Apr 26, 2022risk 0.00cvss —epss 0.02
ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config.
- CVE-2021-46437Apr 8, 2022risk 0.00cvss —epss 0.00
An issue was discovered in ZZCMS 2021. There is a cross-site scripting (XSS) vulnerability in ad_manage.php.
- CVE-2021-46436Apr 8, 2022risk 0.00cvss —epss 0.01
An issue was discovered in ZZCMS 2021. There is a SQL injection vulnerability in ad_manage.php.
- CVE-2021-45347Feb 14, 2022risk 0.00cvss —epss 0.01
An Incorrect Access Control vulnerability exists in zzcms 8.2, which lets a malicious user bypass authentication by changing the user name in the cookie to use any password.
- CVE-2021-45286Feb 9, 2022risk 0.00cvss —epss 0.02
Directory Traversal vulnerability exists in ZZCMS 2021 via the skin parameter in 1) index.php, 2) bottom.php, and 3) top_index.php.
- CVE-2021-42945Dec 15, 2021risk 0.00cvss —epss 0.01
A SQL Injection vulnerability exists in ZZCMS 2021 via the askbigclassid parameter in /admin/ask.php.
- CVE-2020-19042Dec 13, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php.
- CVE-2020-19683Dec 9, 2021risk 0.00cvss —epss 0.01
A Cross Site Scripting (XSS) exists in ZZZCMS V1.7.1 via an editfile action in save.php.
- CVE-2020-19682Dec 9, 2021risk 0.00cvss —epss 0.01
A Cross Site Request Forgery (CSRF) vulnerability exits in ZZZCMS V1.7.1 via the save_user funciton in save.php.
- CVE-2021-40282Dec 9, 2021risk 0.00cvss —epss 0.01
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.
- CVE-2021-40281Dec 9, 2021risk 0.00cvss —epss 0.01
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.
- CVE-2021-40280Dec 9, 2021risk 0.00cvss —epss 0.01
An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.
- CVE-2021-40279Dec 9, 2021risk 0.00cvss —epss 0.01
An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.
- CVE-2020-19957Oct 14, 2021risk 0.00cvss —epss 0.01
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page.
- CVE-2020-19961Oct 14, 2021risk 0.00cvss —epss 0.02
A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php.
- CVE-2020-19822Aug 26, 2021risk 0.00cvss —epss 0.03
A remote code execution (RCE) vulnerability in template_user.php of ZZCMS version 2018 allows attackers to execute arbitrary PHP code via the "ml" and "title" parameters.
- CVE-2020-21342May 13, 2021risk 0.00cvss —epss 0.01
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
- CVE-2020-23426Apr 8, 2021risk 0.00cvss —epss 0.04
zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF.
- CVE-2020-24877Mar 15, 2021risk 0.00cvss —epss 0.02
A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass.
- CVE-2020-20285Dec 18, 2020risk 0.00cvss —epss 0.02
There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php
- CVE-2019-17408Oct 14, 2019risk 0.00cvss —epss 0.04
parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.
- CVE-2019-16722Sep 23, 2019risk 0.00cvss —epss 0.03
ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation.
- CVE-2019-16720Sep 23, 2019risk 0.00cvss —epss 0.01
ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file.
- CVE-2019-1010153Jul 23, 2019risk 0.00cvss —epss 0.02
zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php.
- CVE-2019-1010152Jul 23, 2019risk 0.00cvss —epss 0.02
zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: user/manage.php line 31-80.
Page 2 of 3