ZzcmsCVEs & Vulnerabilities

105 CVEs affecting Zzcms products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

zzcms 116zzmcms 1
CVE-2020-19042MEDIUM

Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php.

14 Dec 2021
6.1
CVSS
CVE-2021-43703CRITICAL

An Incorrect Access Control vulnerability exists in zzcms less than or equal to 2019 via admin.php. After disabling JavaScript, you can directly access the administrator console.

9 Dec 2021
9.8
CVSS
CVE-2021-40282HIGH

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, abd 2021 in dl/dl_download.php. when registering ordinary users.

9 Dec 2021
8.8
CVSS
CVE-2021-40281HIGH

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 in dl/dl_print.php when registering ordinary users.

9 Dec 2021
8.8
CVSS
CVE-2021-40280HIGH

An SQL Injection vulnerablitly exits in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/dl_sendmail.php.

9 Dec 2021
7.2
CVSS
CVE-2021-40279HIGH

An SQL Injection vulnerability exists in zzcms 8.2, 8.3, 2020, and 2021 via the id parameter in admin/bad.php.

9 Dec 2021
7.2
CVSS
CVE-2020-19961HIGH

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the component subzs.php.

14 Oct 2021
7.5
CVSS
CVE-2020-19960HIGH

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendsms.php page cookie.

14 Oct 2021
7.5
CVSS
CVE-2020-19959HIGH

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the dlid parameter in the /dl/dl_sendmail.php page cookie.

14 Oct 2021
7.5
CVSS
CVE-2020-19957HIGH

A SQL injection vulnerability has been discovered in zz cms version 2019 which allows attackers to retrieve sensitive data via the id parameter on the /dl/dl_print.php page.

14 Oct 2021
7.5
CVSS
CVE-2020-19822HIGH

A remote code execution (RCE) vulnerability in template_user.php of ZZCMS version 2018 allows attackers to execute arbitrary PHP code via the "ml" and "title" parameters.

26 Aug 2021
7.2
CVSS
CVE-2020-35973MEDIUM

An issue was discovered in zzcms2020. There is a XSS vulnerability that can insert and execute JS code arbitrarily via /user/manage.php.

4 Jun 2021
5.4
CVSS
CVE-2019-12348CRITICAL

An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter.

24 May 2021
9.8
CVSS
CVE-2020-21342HIGH

Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.

13 May 2021
7.5
CVSS
CVE-2020-23426CRITICAL

zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF.

8 Apr 2021
9.8
CVSS
CVE-2020-23630HIGH

A blind SQL injection vulnerability exists in zzcms ver201910 based on time (cookie injection).

11 Jan 2021
8.8
CVSS
CVE-2020-20285MEDIUM

There is a XSS in the user login page in zzcms 2019. Users can inject js code by the referer header via user/login.php

18 Dec 2020
5.4
CVSS
CVE-2019-1010153CRITICAL

zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php.

23 Jul 2019
9.8
CVSS
CVE-2019-1010152CRITICAL

zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: user/manage.php line 31-80.

23 Jul 2019
9.8
CVSS
CVE-2019-1010150CRITICAL

zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: /user/zssave.php.

23 Jul 2019
9.8
CVSS
CVE-2019-1010149CRITICAL

zzcms version 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: zzcms File Delete to Code Execution. The component is: user/licence_save.php.

23 Jul 2019
9.8
CVSS
CVE-2019-1010148CRITICAL

zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution.

23 Jul 2019
9.8
CVSS
CVE-2019-1010151CRITICAL

zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell. The impact is: getshell. The component is: /user/ppsave.php.

19 Jul 2019
9.8
CVSS
CVE-2018-17416HIGH

A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adclass.php bigclassid parameter.

8 Mar 2019
7.2
CVSS
CVE-2018-17415HIGH

zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter.

8 Mar 2019
8.8
CVSS
CVE-2018-17414HIGH

zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter.

8 Mar 2019
8.8
CVSS
CVE-2018-17413MEDIUM

XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter.

8 Mar 2019
6.1
CVSS
CVE-2018-17412CRITICAL

zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header.

8 Mar 2019
9.8
CVSS
CVE-2019-9078MEDIUM

zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT.

24 Feb 2019
5.4
CVSS
CVE-2019-8411HIGH

admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal.

17 Feb 2019
7.5
CVSS
CVE-2018-18792CRITICAL

An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs_list.php via a pxzs cookie.

29 Oct 2018
9.8
CVSS
CVE-2018-18791CRITICAL

An issue was discovered in zzcms 8.3. SQL Injection exists in zs/search.php via a pxzs cookie.

29 Oct 2018
9.8
CVSS
CVE-2018-18790HIGH

An issue was discovered in zzcms 8.3. SQL Injection exists in admin/special_add.php via a zxbigclassid cookie. (This needs an admin user login.)

29 Oct 2018
7.2
CVSS
CVE-2018-18789CRITICAL

An issue was discovered in zzcms 8.3. SQL Injection exists in zt/top.php via a Host HTTP header to zt/news.php.

29 Oct 2018
9.8
CVSS
CVE-2018-18788HIGH

An issue was discovered in zzcms 8.3. SQL Injection exists in admin/classmanage.php via the tablename parameter. (This needs an admin user login.)

29 Oct 2018
7.2
CVSS
CVE-2018-18787CRITICAL

An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs.php via a pxzs cookie.

29 Oct 2018
9.8
CVSS
CVE-2018-18786CRITICAL

An issue was discovered in zzcms 8.3. SQL Injection exists in ajax/zs.php via a pxzs cookie.

29 Oct 2018
9.8
CVSS
CVE-2018-18785CRITICAL

An issue was discovered in zzcms 8.3. SQL Injection exists in zs/subzs.php with a zzcmscpid cookie to zs/search.php.

29 Oct 2018
9.8
CVSS
CVE-2018-18784HIGH

An issue was discovered in zzcms 8.3. SQL Injection exists in admin/tagmanage.php via the tabletag parameter. (This needs an admin user login.)

29 Oct 2018
7.2
CVSS
CVE-2018-17798MEDIUM

An issue was discovered in zzcms 8.3. user/ztconfig.php allows remote attackers to delete arbitrary files via an absolute pathname in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

30 Sep 2018
6.5
CVSS
CVE-2018-17797MEDIUM

An issue was discovered in zzcms 8.3. user/zssave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock.

30 Sep 2018
6.5
CVSS
CVE-2018-17136CRITICAL

zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header.

17 Sep 2018
9.8
CVSS
CVE-2018-16344HIGH

An issue was discovered in zzcms 8.3. It allows remote attackers to delete arbitrary files via directory traversal sequences in the flv parameter. This can be leveraged for database access by deleting install.lock.

2 Sep 2018
7.5
CVSS
CVE-2018-1000653CRITICAL

zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx.

20 Aug 2018
9.8
CVSS
CVE-2018-14963HIGH

zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI.

6 Aug 2018
8.8
CVSS
CVE-2018-14962MEDIUM

zzcms 8.3 has stored XSS related to the content variable in user/manage.php and zt/show.php.

6 Aug 2018
5.4
CVSS
CVE-2018-14961CRITICAL

dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter.

6 Aug 2018
9.8
CVSS
CVE-2018-13116CRITICAL

/user/del.php in zzcms 8.3 allows SQL injection via the tablename parameter after leveraging use of the zzcms_ask table.

3 Jul 2018
9.8
CVSS