CVE-2018-8969

Name of the Vulnerable Software and Affected Versions zzcms version 8.2

Description An issue in zzcms allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request to the "user/licence save.php" endpoint. This can be leveraged for database access by deleting install.lock.

Recommendations For zzcms version 8.2, consider restricting access to the "user/licence save.php" endpoint or disabling the action=modify request functionality until a patch is available. Additionally, restrict the use of the oldimg parameter to prevent directory traversal attacks.