seedis/zzcms

seedis/zzcms

Releases0

Stars1

zzcms 8.3 SQL injection

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2018-17412 ↗	Mar 7, 2019Thursday, 7 March 2019, 23:29	—	7.5 HIGH
zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header.
CVE-2018-17414 ↗	Mar 7, 2019Thursday, 7 March 2019, 23:29	—	6.5 MEDIUM
zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter.
CVE-2018-17415 ↗	Mar 7, 2019Thursday, 7 March 2019, 23:29	—	6.5 MEDIUM
zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter.
CVE-2018-17416 ↗	Mar 7, 2019Thursday, 7 March 2019, 23:29	—	6.5 MEDIUM
A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adclass.php bigclassid parameter.
CVE-2018-17797 ↗	Sep 30, 2018Sunday, 30 September 2018, 20:29	—	5.5 MEDIUM
An issue was discovered in zzcms 8.3. user/zssave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.
CVE-2018-17798 ↗	Sep 30, 2018Sunday, 30 September 2018, 20:29	—	5.5 MEDIUM
An issue was discovered in zzcms 8.3. user/ztconfig.php allows remote attackers to delete arbitrary files via an absolute pathname in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.