Filtered by vendor Zzzcms
Subscribe
Search
Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23881 | 1 Zzzcms | 1 Zzzphp | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php. | |||||
| CVE-2020-20298 | 1 Zzzcms | 1 Zzzphp | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Eval injection vulnerability in the parserCommom method in the ParserTemplate class in zzz_template.php in zzzphp 1.7.2 allows remote attackers to execute arbitrary commands. | |||||
| CVE-2019-9082 | 3 Opensourcebms, Thinkphp, Zzzcms | 3 Open Source Background Management System, Thinkphp, Zzzphp | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. | |||||
| CVE-2019-16722 | 1 Zzzcms | 1 Zzzphp | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation. | |||||
| CVE-2019-17408 | 1 Zzzcms | 1 Zzzphp | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr. | |||||
| CVE-2021-32605 | 1 Zzzcms | 1 Zzzphp | 2021-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an "if" "end if" block. | |||||
| CVE-2020-24877 | 1 Zzzcms | 1 Zzzphp | 2021-03-16 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability in zzzphp v1.8.0 through /form/index.php?module=getjson may lead to a possible access restriction bypass. | |||||
| CVE-2020-18717 | 1 Zzzcms | 1 Zzzphp | 2021-02-08 | 7.5 HIGH | 9.8 CRITICAL |
| SQL Injection in ZZZCMS zzzphp 1.7.1 allows remote attackers to execute arbitrary code due to a lack of parameter filtering in inc/zzz_template.php. | |||||
| CVE-2019-10647 | 1 Zzzcms | 1 Zzzphp | 2019-04-01 | 7.5 HIGH | 9.8 CRITICAL |
| ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file). | |||||