Airrudder

**Name of the Vulnerable Software and Affected Versions** ZZCMS version 2025 **Description** A security issue exists in ZZCMS 2025 related to the User Data Storage Module. A flaw within the `/reg/user save.php` file results in the storage of data in cleartext on a file or disk. Remote exploitation is possible. The exploit has been published. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZZCMS version 2025 **Description** A code injection issue exists in ZZCMS 2025, specifically within the Backend Website Settings Module. The `stripfxg` function in the `/admin/siteconfig.php` file is affected. Manipulation of the `icp` argument can lead to code injection, and the attack can be executed remotely. The exploit has been publicly disclosed. **Recommendations** Apply any available updates to address the issue in the `stripfxg` function of the `/admin/siteconfig.php` file. As a temporary workaround, restrict access to the `/admin/siteconfig.php` file to minimize the risk of exploitation. Avoid using the `icp` parameter in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CTCMS Content Management System versions up to 2.1.2 **Description** A code injection issue exists in CTCMS Content Management System. The issue is located in the `Save` function within the `/ctcms/libs/Ct App.php` file of the Backend App Configuration Module. Manipulation of the `CT App Paytype` argument can lead to code injection. Remote exploitation is possible, and a public exploit is available. **Recommendations** Versions prior to 2.1.2 should be updated.

**Name of the Vulnerable Software and Affected Versions** CTCMS Content Management System versions up to 2.1.2 **Description** A security flaw exists in CTCMS Content Management System. The issue resides in an unknown function within the `/ctcms/libs/Ct Config.php` library of the Backend System Configuration Module. Manipulation of the `Cj Add`/`Cj Edit` argument can lead to code injection, and the attack can be carried out remotely. The exploit for this issue has been publicly released and may be exploited. **Recommendations** Versions prior to 2.1.2 should be updated.

**Name of the Vulnerable Software and Affected Versions** CTCMS Content Management System versions up to 2.1.2 **Description** A weakness exists in CTCMS Content Management System up to version 2.1.2. This issue affects an unknown function within the `/ctcms/apps/libraries/CT Parser.php` library of the Frontend/Template Management Module. The issue is due to improper neutralization of special elements used in a template engine, and it can be exploited remotely. The exploit for this issue has been publicly released. **Recommendations** Versions prior to 2.1.2 should be updated.