Z Blogphp

z-blogphp

Vendor: Zblogcn • 21 CVEs

CVEs (21)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-55529 1Zblogcn 1Z Blogphp Sep 5, 2025 Jan 6, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \zb_users\theme\shell\template.
CVE-2024-39203 1Zblogcn 1Z Blogphp Mar 13, 2025 Jul 8, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in the Backend Theme Management module of Z-BlogPHP v1.7.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVE-2022-40357 1Zblogcn 1Z Blogphp May 28, 2025 Sep 20, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A security issue was discovered in Z-BlogPHP <= 1.7.2. A Server-Side Request Forgery (SSRF) vulnerability in the zb_users/plugin/UEditor/php/action_crawler.php file allows remote attackers to force the application to mak...Show more A security issue was discovered in Z-BlogPHP <= 1.7.2. A Server-Side Request Forgery (SSRF) vulnerability in the zb_users/plugin/UEditor/php/action_crawler.php file allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter.Show less
CVE-2020-29177 1Zblogcn 1Z Blogphp Nov 21, 2024 Dec 2, 2021 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 Z-BlogPHP v1.6.1.2100 was discovered to contain an arbitrary file deletion vulnerability via \app_del.php.
CVE-2020-29176 1Zblogcn 1Z Blogphp Nov 21, 2024 Dec 2, 2021 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file.
CVE-2020-18268 1Zblogcn 1Z Blogphp Nov 21, 2024 Jun 7, 2021 N/A· v4 6.1 MEDIUM· v3 5.8 MEDIUM· v2 Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
CVE-2020-23352 1Zblogcn 1Z Blogphp Nov 21, 2024 Jan 27, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Z-BlogPHP 1.6.0 Valyria is affected by incorrect access control. PHP loose comparison and a magic hash can be used to bypass authentication. zb_user/plugin/passwordvisit/include.php:passwordvisit_input_password() uses lo...Show more Z-BlogPHP 1.6.0 Valyria is affected by incorrect access control. PHP loose comparison and a magic hash can be used to bypass authentication. zb_user/plugin/passwordvisit/include.php:passwordvisit_input_password() uses loose comparison to authenticate, which can be bypassed via magic hash values.Show less
CVE-2018-19556 1Zblogcn 1Z Blogphp Nov 21, 2024 Nov 26, 2018 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 zb_system/admin/index.php?act=UploadMng in Z-BlogPHP 1.5 mishandles file preview, leading to content spoofing. NOTE: the software maintainer disputes that this is a vulnerability
CVE-2018-19463 1Zblogcn 1Z Blogphp Nov 21, 2024 Nov 22, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOT...Show more zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOTE: The vendor's position is "We have no dynamic including. No one can run PHP by uploading an image in current version." It also requires authenticationShow less
CVE-2018-18842 1Zblogcn 1Z Blogphp Nov 21, 2024 Oct 30, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 (Zero), which allows remote attackers to execute arbitrary PHP code.
CVE-2018-18381 1Zblogcn 1Z Blogphp Nov 21, 2024 Oct 16, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-11209 1Zblogcn 1Z Blogphp Nov 21, 2024 May 16, 2018 N/A· v4 7.2 HIGH· v3 4.0 MEDIUM· v2 An issue was discovered in Z-BlogPHP 2.0.0. zb_system/cmd.php?act=verify relies on MD5 for the password parameter, which might make it easier for attackers to bypass intended access restrictions via a dictionary or rainb...Show more An issue was discovered in Z-BlogPHP 2.0.0. zb_system/cmd.php?act=verify relies on MD5 for the password parameter, which might make it easier for attackers to bypass intended access restrictions via a dictionary or rainbow-table attack. NOTE: the vendor declined to accept this as a valid issueShow less
CVE-2018-11208 1Zblogcn 1Z Blogphp Nov 21, 2024 May 16, 2018 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NO...Show more An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilegeShow less
CVE-2018-10680 1Zblogcn 1Z Blogphp Nov 21, 2024 May 2, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php...Show more Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug.Show less
CVE-2018-9169 1Zblogcn 1Z Blogphp Nov 21, 2024 Apr 16, 2018 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF.
CVE-2018-9153 1Zblogcn 1Z Blogphp Nov 21, 2024 Apr 16, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a di...Show more The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directly by an administrator, or through CSRF.Show less
CVE-2018-8893 1Zblogcn 1Z Blogphp Nov 21, 2024 Mar 31, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
CVE-2018-7737 1Zblogcn 1Z Blogphp Nov 21, 2024 Mar 6, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as demonstrated by admin_footer.php or admin_footer.php. NOTE: the software maintainer disputes that this is a vulnerability
CVE-2018-7736 1Zblogcn 1Z Blogphp Nov 21, 2024 Mar 6, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability
CVE-2018-6846 1Zblogcn 1Z Blogphp Nov 21, 2024 Feb 8, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Z-BlogPHP 1.5.1 allows remote attackers to discover the full path via a direct request to zb_system/function/lib/upload.php.

12 Next