CVE-2018-17797

Name of the Vulnerable Software and Affected Versions zzcms version 8.3

Description An issue was discovered that allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request to the "user/zssave.php" endpoint. This can be leveraged for database access by deleting install.lock.

Recommendations For zzcms version 8.3, consider restricting access to the "user/zssave.php" endpoint or disabling the action=modify request until a patch is available. Additionally, restrict the use of the oldimg parameter to prevent directory traversal attacks.