Zzzphp

zzzphp

Vendor: Zzzcms • 14 CVEs

CVEs (14)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-45909 1Zzzcms 1Zzzphp Nov 21, 2024 Oct 18, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 zzzcms v2.2.0 was discovered to contain an open redirect vulnerability.
CVE-2022-23881 1Zzzcms 1Zzzphp Nov 21, 2024 Mar 23, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php.
CVE-2021-32605 1Zzzcms 1Zzzphp Nov 21, 2024 May 11, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an "if" "end if" block.
CVE-2020-24877 1Zzzcms 1Zzzphp Nov 21, 2024 Mar 15, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass.
CVE-2020-18717 1Zzzcms 1Zzzphp Nov 21, 2024 Feb 5, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php.
CVE-2020-20298 1Zzzcms 1Zzzphp Nov 21, 2024 Dec 18, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Eval injection vulnerability in the parserCommom method in the ParserTemplate class in zzz_template.php in zzzphp 1.7.2 allows remote attackers to execute arbitrary commands.
CVE-2019-17408 1Zzzcms 1Zzzphp Nov 21, 2024 Oct 14, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.
CVE-2019-16722 1Zzzcms 1Zzzphp Nov 21, 2024 Sep 23, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation.
CVE-2019-16720 1Zzzcms 1Zzzphp Nov 21, 2024 Sep 23, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file.
CVE-2019-10647 1Zzzcms 1Zzzphp Nov 21, 2024 Mar 30, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions....Show more ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file).Show less
CVE-2019-9182 1Zzzcms 1Zzzphp Dec 9, 2025 Feb 26, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 There is a CSRF in ZZZCMS zzzphp V1.6.1 via a /admin015/save.php?act=editfile request. It allows PHP code injection by providing a filename in the file parameter, and providing file content in the filetext parameter.
CVE-2019-9082 3Opensourcebms ThinkphpZzzcms 3Open Source Background Management System ThinkphpZzzphp Dec 9, 2025 Feb 24, 2019 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed...Show more ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.Show less
CVE-2019-9041 1Zzzcms 1Zzzphp Nov 21, 2024 Feb 23, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.
CVE-2018-20127 1Zzzcms 1Zzzphp Nov 21, 2024 Dec 13, 2018 N/A· v4 7.5 HIGH· v3 6.4 MEDIUM· v2 An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but...Show more An issue was discovered in zzzphp cms 1.5.8. del_file in /admin/save.php allows remote attackers to delete arbitrary files via a mixed-case extension and an extra '.' character, because (for example) "php" is blocked but path=F:/1.phP. succeeds.Show less