CVE-2022-40446

Name of the Vulnerable Software and Affected Versions ZZCMS version 2022

Description The issue is related to a SQL injection vulnerability in the ZZCMS system, specifically in the admin/sendmailto.php component. This vulnerability arises from the lack of protection against SQL query structure manipulation when handling the tomail and groupid parameters. An attacker can exploit this vulnerability to execute arbitrary SQL code remotely.

Recommendations For ZZCMS version 2022, as a temporary workaround, consider restricting access to the /admin/sendmailto.php component until a patch is available. Avoid using the tomail and groupid parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.