PT-2018-14654 · Zzcms · Zzcms
Published
2018-10-29
·
Updated
2018-12-04
·
CVE-2018-18790
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
zzcms version 8.3
Description
An issue exists in the software where SQL Injection is possible. This occurs in the
admin/special add.php endpoint via the zxbigclassid cookie, and it requires an admin user to be logged in.Recommendations
For zzcms version 8.3, consider restricting access to the
admin/special add.php endpoint until a patch is available, and avoid using the zxbigclassid cookie in this endpoint to minimize the risk of exploitation.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zzcms