Gkdf1Sh

**Name of the Vulnerable Software and Affected Versions** ZZCMS versions 2023 and earlier **Description** The issue allows a remote attacker to obtain sensitive information. This is achieved via the `id` parameter in the "adv2.php" component. **Recommendations** For ZZCMS versions 2023 and earlier, consider disabling the `id` parameter in the "adv2.php" component as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZZCMS versions 2023 and earlier **Description** A Cross Site Scripting issue allows a remote attacker to obtain sensitive information via a crafted script to the `pagename` parameter of the "admin/del.php" component. This flaw enables the attacker to execute malicious scripts, potentially leading to unauthorized access to sensitive data. **Recommendations** For ZZCMS versions 2023 and earlier, consider disabling the `pagename` parameter in the "admin/del.php" component as a temporary workaround until a patch is available. Restrict access to the admin component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ZZCMS versions 2023 and earlier **Description** A sensitive information disclosure issue exists in the eginfo.php file, located at /3/E bak5.1/upload/. When accessed with the query parameter `phome=ShowPHPInfo`, the application executes the `phpinfo()` function, exposing detailed information about the PHP environment, including server configuration, loaded modules, and environment variables. **Recommendations** For ZZCMS versions 2023 and earlier, as a temporary workaround, consider restricting access to the eginfo.php file and the `phome=ShowPHPInfo` query parameter until a patch is available. Avoid using the `phome` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZZCMS versions 2023 and earlier **Description** A reflected cross-site scripting (XSS) issue exists due to the direct insertion of the `HTTP REFERER` header value into the HTML response without proper sanitization in the `user/login.php` file at line 24. An attacker can exploit this by tricking a user into visiting a specially crafted URL with a malicious `Referer` header, potentially leading to the execution of arbitrary JavaScript code in the victim's browser. This could result in session hijacking, defacement, or other malicious activities. **Recommendations** For ZZCMS versions 2023 and earlier, as a temporary workaround, consider sanitizing the `HTTP REFERER` header value before inserting it into the HTML response to prevent the execution of malicious JavaScript code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZZCMS versions 2023 and earlier **Description** An arbitrary file deletion issue exists due to insufficient validation and sanitization of user input for file paths in the admin/del.php file at line 62. This allows an attacker to use directory traversal techniques to delete arbitrary files on the server, potentially disrupting system operation. **Recommendations** For ZZCMS versions 2023 and earlier, as a temporary workaround, consider restricting access to the admin/del.php file until a patch is available. Additionally, ensure proper validation and sanitization of user input for file paths to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.