Zzcms ≫ Zzcms

XSS exists in zzcms v8.3 via the /uploadimg_form.php noshuiyin parameter.

zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter.

zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter.

A SQL injection vulnerability exists in zzcms v8.3 via the /admin/adclass.php bigclassid parameter.

zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT.

admin/dl_data.php in zzcms 2018 (2018-10-19) allows remote attackers to delete arbitrary files via action=del&filename=../ directory traversal.

An issue was discovered in zzcms 8.3. SQL Injection exists in ajax/zs.php via a pxzs cookie.

An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs.php via a pxzs cookie.

An issue was discovered in zzcms 8.3. SQL Injection exists in admin/classmanage.php via the tablename parameter. (This needs an admin user login.)

An issue was discovered in zzcms 8.3. SQL Injection exists in zt/top.php via a Host HTTP header to zt/news.php.