CVE-2019-9182

Name of the Vulnerable Software and Affected Versions ZZZCMS zzzphp version 1.6.1

Description The issue allows for PHP code injection through a CSRF attack. This is achieved by sending a request to the "/admin015/save.php?act=editfile" endpoint, where an attacker can provide a filename in the file parameter and malicious file content in the filetext parameter.

Recommendations For ZZZCMS zzzphp version 1.6.1, as a temporary workaround, consider restricting access to the "/admin015/save.php?act=editfile" endpoint to minimize the risk of exploitation. Avoid using the file and filetext parameters in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.