615

**Name of the Vulnerable Software and Affected Versions** zzcms version 2018 **Description** The issue allows remote attackers to delete arbitrary files via a directory traversal attack. This is achieved by exploiting the `action` and `filename` parameters in the `admin/dl data.php` file. Specifically, the `filename` parameter is vulnerable to directory traversal attacks, allowing an attacker to access and delete files outside of the intended directory. **Recommendations** For zzcms version 2018, restrict access to the `admin/dl data.php` file to minimize the risk of exploitation. As a temporary workaround, consider disabling the file deletion functionality in this file until a patch is available. Avoid using the `filename` parameter in the `admin/dl data.php` file with untrusted input until the issue is resolved.