CVE-2018-17798

Name of the Vulnerable Software and Affected Versions zzcms version 8.3

Description An issue was discovered that allows remote attackers to delete arbitrary files via an absolute pathname in the oldimg parameter in an action=modify request to the "user/ztconfig.php" endpoint. This can be leveraged for database access by deleting install.lock.

Recommendations For zzcms version 8.3, avoid using the oldimg parameter in the "user/ztconfig.php" endpoint until the issue is resolved. Restrict access to the action=modify request in the "user/ztconfig.php" endpoint to minimize the risk of exploitation.