Cby234

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue was discovered in zzcms, where there is a SQL injection vulnerability in the "/admin/ztliuyan sendmail.php" endpoint when the attacker has admin authority, via the `id` parameter. **Recommendations** For zzcms version 2019, as a temporary workaround, consider restricting access to the "/admin/ztliuyan sendmail.php" endpoint or validating and sanitizing the `id` parameter to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue was discovered in zzcms, where there is a SQL injection vulnerability in the /admin/showbad.php endpoint when the attacker has admin authority, via the `id` parameter. **Recommendations** For zzcms version 2019, as a temporary workaround, consider restricting access to the /admin/showbad.php endpoint or disabling the use of the `id` parameter in this endpoint until a patch is available. Avoid using the `id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue was discovered in the software, which allows for SQL injection via the `id` parameter in the "/user/dls print.php" API endpoint when the attacker has dls print authority. **Recommendations** For zzcms version 2019, consider restricting access to the "/user/dls print.php" API endpoint or limiting the use of the `id` parameter until a fix is available.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue was discovered in the software, which is a SQL injection vulnerability. This vulnerability exists in the /user/dls download.php endpoint when the attacker has dls download authority, and it can be exploited via the `id` parameter. **Recommendations** For zzcms version 2019, consider restricting access to the /user/dls download.php endpoint until a patch is available, and avoid using the `id` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue was discovered in zzcms, where there is a SQL injection vulnerability in the /admin/deluser.php endpoint when the attacker has admin authority, via the `id` parameter. **Recommendations** For zzcms version 2019, as a temporary workaround, consider restricting access to the /admin/deluser.php endpoint or validating and sanitizing the `id` parameter to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue was discovered in zzcms, where there is a SQL injection vulnerability in the /dl/dl sendsms.php endpoint when the attacker has dls print authority, via the `dlid` cookie. **Recommendations** For zzcms version 2019, as a temporary workaround, consider restricting access to the /dl/dl sendsms.php endpoint until a patch is available. Additionally, limit the use of the `dlid` cookie to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue was discovered in zzcms, where there is a SQL injection vulnerability in the /dl/dl sendmail.php endpoint when the attacker has dls print authority. This vulnerability can be exploited via the `dlid` cookie. **Recommendations** For zzcms version 2019, as a temporary workaround, consider restricting access to the /dl/dl sendmail.php endpoint to minimize the risk of exploitation. Avoid using the `dlid` cookie in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue was discovered in the software, which allows for SQL injection via the `id` parameter in the "/admin/dl sendmail.php" API endpoint when an attacker has admin authority. **Recommendations** For zzcms version 2019, avoid using the `id` parameter in the "/admin/dl sendmail.php" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "/admin/dl sendmail.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue exists in the software, allowing SQL Injection in the /admin/dl sendsms.php endpoint via the `id` parameter. **Recommendations** For zzcms version 2019, avoid using the `id` parameter in the /admin/dl sendsms.php endpoint until the issue is resolved. Consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue exists in zzcms 2019 where SQL Injection is possible in the "dl/dl download.php" endpoint via the `id` parameter when its value contains a trailing comma. **Recommendations** For zzcms version 2019, avoid using the `id` parameter with a trailing comma in the "dl/dl download.php" endpoint until a fix is available. As a temporary workaround, consider restricting access to the "dl/dl download.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue exists in the software where SQL Injection is possible. This occurs in the `dl/dl print.php` file through an `id` parameter value that has a trailing comma. **Recommendations** For zzcms version 2019, avoid using the `id` parameter with a trailing comma in the `dl/dl print.php` file until a fix is available. As a temporary workaround, consider restricting access to the `dl/dl print.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** zzcms version 2019 **Description** An issue exists in zzcms 2019 where SQL Injection is possible. This occurs in the user/ztconfig.php file via the `daohang` or `img` POST parameters. **Recommendations** For zzcms version 2019, consider restricting access to the user/ztconfig.php file to minimize the risk of exploitation. Avoid using the `daohang` and `img` parameters in the POST request to this file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: MetInfo version 7.0 beta Description: The issue allows attackers to delete and modify ini files in specific locations, including `app/system/language/admin/language general.class.php` and `app/system/include/function/file.func.php`. Recommendations: For MetInfo version 7.0 beta, consider restricting access to the vulnerable files until a patch is available. As a temporary workaround, restrict modifications to ini files in the affected locations to minimize the risk of exploitation.