The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2018-18784 | An issue was discovered in zzcms 8.3. SQL Injection exists in admin/tagmanage.php via the tabletag parameter. (This needs an admin user login.) | MEDIUM | Oct 29, 2018 |
| CVE-2018-18790 | An issue was discovered in zzcms 8.3. SQL Injection exists in admin/special_add.php via a zxbigclassid cookie. (This needs an admin user login.) | MEDIUM | Oct 29, 2018 |
| CVE-2018-18788 | An issue was discovered in zzcms 8.3. SQL Injection exists in admin/classmanage.php via the tablename parameter. (This needs an admin user login.) | MEDIUM | Oct 29, 2018 |
| CVE-2018-16344 | An issue was discovered in zzcms 8.3. It allows remote attackers to delete arbitrary files via directory traversal sequences in the flv parameter. This can be leveraged for database access by deleting install.lock. | MEDIUM | Sep 2, 2018 |
| CVE-2018-8965 | An issue was discovered in zzcms 8.2. user/ppsave.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | MEDIUM | Mar 24, 2018 |
| CVE-2018-8968 | An issue was discovered in zzcms 8.2. user/manage.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg or oldflv parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | MEDIUM | Mar 24, 2018 |
| CVE-2018-8969 | An issue was discovered in zzcms 8.2. user/licence_save.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter in an action=modify request. This can be leveraged for database access by deleting install.lock. | MEDIUM | Mar 24, 2018 |
| CVE-2018-9331 | An issue was discovered in zzcms 8.2. user/adv.php allows remote attackers to delete arbitrary files via directory traversal sequences in the oldimg parameter. This can be leveraged for database access by deleting install.lock. | MEDIUM | Apr 6, 2018 |
| CVE-2018-8967 | An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request. | HIGH | Mar 24, 2018 |
| CVE-2018-9309 | An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request. | MEDIUM | Apr 4, 2018 |
| CVE-2018-8966 | An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php. | MEDIUM | Mar 24, 2018 |
| CVE-2022-44361 | An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php. | -- | Dec 9, 2022 |
| CVE-2021-46436 | An issue was discovered in ZZCMS 2021. There is a SQL injection vulnerability in ad_manage.php. | MEDIUM | Apr 8, 2022 |
| CVE-2021-46437 | An issue was discovered in ZZCMS 2021. There is a cross-site scripting (XSS) vulnerability in ad_manage.php. | LOW | Apr 8, 2022 |
| CVE-2019-12355 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_print.php (when the attacker has dls_print authority) via the id parameter. | MEDIUM | Jun 17, 2022 |
| CVE-2019-12356 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /user/dls_download.php (when the attacker has dls_download authority) via the id parameter. | MEDIUM | Jun 17, 2022 |
| CVE-2019-12358 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendsms.php (when the attacker has dls_print authority) via a dlid cookie. | MEDIUM | Jun 17, 2022 |
| CVE-2019-12352 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie. | MEDIUM | Jun 17, 2022 |
| CVE-2019-12359 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/ztliuyan_sendmail.php (when the attacker has admin authority) via the id parameter. | MEDIUM | Jun 17, 2022 |
| CVE-2019-12354 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/showbad.php (when the attacker has admin authority) via the id parameter. | MEDIUM | Jun 17, 2022 |
| CVE-2019-12353 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/dl_sendmail.php (when the attacker has admin authority) via the id parameter. | MEDIUM | Jun 17, 2022 |
| CVE-2019-12357 | An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /admin/deluser.php (when the attacker has admin authority) via the id parameter. | MEDIUM | Jun 17, 2022 |
| CVE-2019-12348 | An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter. | HIGH | May 27, 2021 |
| CVE-2019-12351 | An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma. | HIGH | Jun 2, 2022 |
| CVE-2019-12350 | An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_download.php via an id parameter value with a trailing comma. | HIGH | Jun 2, 2022 |
| CVE-2019-12349 | An issue was discovered in zzcms 2019. SQL Injection exists in /admin/dl_sendsms.php via the id parameter. | HIGH | Jun 2, 2022 |
| CVE-2018-12557 | An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could lead to accidentally leaking credentials or secrets. | MEDIUM | Jun 19, 2018 |
| CVE-2021-30478 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation. | MEDIUM | Apr 15, 2021 |
| CVE-2021-30479 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization. | MEDIUM | Apr 15, 2021 |
| CVE-2021-30477 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to. | MEDIUM | Apr 15, 2021 |
| CVE-2018-0502 | An issue was discovered in zsh before 5.6. The beginning of a #! script file was mishandled, potentially leading to an execve call to a program named on the second line. | HIGH | Sep 5, 2018 |
| CVE-2018-13259 | An issue was discovered in zsh before 5.6. Shebang lines exceeding 64 characters were truncated, potentially leading to an execve call to a program name that is a substring of the intended one. | HIGH | Sep 5, 2018 |
| CVE-2019-16643 | An issue was discovered in ZrLog 2.1.1. There is a Stored XSS vulnerability in the article_edit area. | LOW | Sep 20, 2019 |
| CVE-2018-17421 | An issue was discovered in ZrLog 2.0.3. There is stored XSS in the file upload area via a crafted attached/file/ pathname. | MEDIUM | Mar 22, 2019 |
| CVE-2018-17420 | An issue was discovered in ZrLog 2.0.3. There is a SQL injection vulnerability in the article management search box via the keywords parameter. | MEDIUM | Mar 22, 2019 |
| CVE-2018-17079 | An issue was discovered in ZRLOG 2.0.1. There is a Stored XSS vulnerability in the nickname field of the comment area. | MEDIUM | Jun 20, 2019 |
| CVE-2019-6777 | An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?view=plugin pl parameter. | Medium | Jan 24, 2019 |
| CVE-2023-40274 | An issue was discovered in zola 0.13.0 through 0.17.2. The custom implementation of a web server, available via the zola serve command, allows directory traversal. The handle_request function, used by the server to process HTTP requests, does not account for sequences of special path control characters (../) in the URL when serving a file, which allows one to escape the webroot of the server and read arbitrary files from the filesystem. | -- | Aug 14, 2023 |
| CVE-2019-12541 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. | MEDIUM | Jun 6, 2019 |
| CVE-2019-12538 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field. | MEDIUM | Jun 6, 2019 |
| CVE-2019-12542 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. | MEDIUM | Jun 6, 2019 |
| CVE-2019-12189 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field. | MEDIUM | May 23, 2019 |
| CVE-2019-12543 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. | MEDIUM | Jun 6, 2019 |
| CVE-2018-7248 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not. | MEDIUM | May 11, 2018 |
| CVE-2019-12540 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field. | MEDIUM | Jul 15, 2019 |
| CVE-2019-20474 | An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.447. The service to test the mail-server configuration suffers from an authorization issue allowing a user with the Guest role (read-only access) to use and abuse it. One of the abuses allows performing network and port scan operations of the localhost or the hosts on the same network segment, aka SSRF. | MEDIUM | Feb 20, 2020 |
| CVE-2019-15104 | An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the \"Execute Program Action(s)\" feature. | HIGH | Aug 26, 2019 |
| CVE-2019-15106 | An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The \"username+\'@opm\' string is used for the password. For example, if the username is admin, the password is admin@opm. | HIGH | Aug 27, 2019 |
| CVE-2019-17602 | An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated. | HIGH | Oct 17, 2019 |
| CVE-2017-11559 | An issue was discovered in ZOHO ManageEngine OpManager 12.2. The \'apiKey\' parameter of \"/api/json/admin/getmailserversettings\" and \"/api/json/dashboard/gotoverviewlist\" is vulnerable to a Blind SQL Injection attack. | MEDIUM | May 24, 2019 |
