CVE-2018-8968

Name of the Vulnerable Software and Affected Versions zzcms version 8.2

Description An issue was discovered that allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an "action=modify" request to the "user/manage.php" endpoint. This can be leveraged for database access by deleting install.lock.

Recommendations For zzcms version 8.2, restrict access to the "user/manage.php" endpoint to minimize the risk of exploitation, and avoid using the oldimg or oldflv parameters in requests until the issue is resolved.