The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2019-10647 | ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file). | HIGH | Apr 1, 2019 | n/a |
CVE-2021-32605 | zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an if end if block. | HIGH | May 11, 2021 | n/a |
CVE-2023-45909 | zzzcms v2.2.0 was discovered to contain an open redirect vulnerability. | -- | Oct 19, 2023 | n/a |
CVE-2019-1010151 | zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell. The impact is: getshell. The component is: /user/ppsave.php. | HIGH | Jul 29, 2019 | n/a |
CVE-2019-1010148 | zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution. | HIGH | Jul 24, 2019 | n/a |
CVE-2019-1010149 | zzcms version 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: zzcms File Delete to Code Execution. The component is: user/licence_save.php. | HIGH | Jul 26, 2019 | n/a |
CVE-2018-1000653 | zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx. | HIGH | Aug 20, 2018 | n/a |
CVE-2018-17415 | zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter. | MEDIUM | Mar 22, 2019 | n/a |
CVE-2018-17414 | zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter. | MEDIUM | Mar 22, 2019 | n/a |
CVE-2018-17412 | zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header. | HIGH | Mar 22, 2019 | n/a |
CVE-2018-14962 | zzcms 8.3 has stored XSS related to the content variable in user/manage.php and zt/show.php. | LOW | Aug 6, 2018 | n/a |
CVE-2018-14963 | zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI. | MEDIUM | Aug 6, 2018 | n/a |
CVE-2018-17136 | zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header. | HIGH | Sep 17, 2018 | n/a |
CVE-2019-1010153 | zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php. | HIGH | Jul 24, 2019 | n/a |
CVE-2019-1010152 | zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: user/manage.php line 31-80. | HIGH | Jul 24, 2019 | n/a |
CVE-2019-1010150 | zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: /user/zssave.php. | HIGH | Jul 26, 2019 | n/a |
CVE-2018-7434 | zzcms 8.2 allows remote attackers to discover the full path via a direct request to 3/qq_connect2.0/API/class/ErrorCase.class.php or 3/ucenter_api/code/friend.php. | MEDIUM | Feb 23, 2018 | n/a |
CVE-2023-50104 | ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this loophole to gain server privileges and execute arbitrary code. | -- | Dec 29, 2023 | n/a |
CVE-2022-40447 | ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php. | -- | Sep 22, 2022 | n/a |
CVE-2022-40446 | ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=. | -- | Sep 23, 2022 | n/a |
CVE-2022-40444 | ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server. | -- | Sep 23, 2022 | n/a |
CVE-2020-23426 | zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF. | HIGH | Apr 8, 2021 | n/a |
CVE-2019-9078 | zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT. | LOW | Mar 20, 2019 | n/a |
CVE-2022-24644 | ZZ Inc. KeyMouse Windows 3.08 and prior is affected by a remote code execution vulnerability during an unauthenticated update. To exploit this vulnerability, a user must trigger an update of an affected installation of KeyMouse. | MEDIUM | Mar 10, 2022 | n/a |
CVE-2018-9129 | ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections. | MEDIUM | Aug 15, 2018 | n/a |
CVE-2017-17550 | ZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a CSRF vulnerability via a cgi-bin/zysh-cgi cmd action to add a user account. This account\'s access could, for example, subsequently be used for stored XSS. | MEDIUM | Nov 10, 2018 | n/a |
CVE-2021-46387 | ZyXEL ZyWALL 2 Plus Internet Security Appliance is affected by Cross Site Scripting (XSS). Insecure URI handling leads to bypass security restriction to achieve Cross Site Scripting, which allows an attacker able to execute arbitrary JavaScript codes to perform multiple attacks such as clipboard hijacking and session hijacking. | MEDIUM | Mar 2, 2022 | n/a |
CVE-2008-1160 | ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges. | High | Mar 25, 2008 | n/a |
CVE-2017-7964 | Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process. | HIGH | Apr 19, 2017 | n/a |
CVE-2020-24354 | Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by shell injection. | MEDIUM | Sep 4, 2020 | n/a |
CVE-2020-24355 | Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with elevated privileges. This is done by changing FirstIndex field in JSON that is POST-ed during account creation. Similar may also be possible with account deletion. | HIGH | Sep 2, 2020 | n/a |
CVE-2019-7391 | ZyXEL VMG3312-B10B DSL-491HNU-B1B v2 devices allow login/login-page.cgi CSRF. | MEDIUM | Mar 25, 2019 | n/a |
CVE-2018-18754 | ZyXEL VMG3312-B10B 1.00(AAPP.7) devices have a backdoor root account with the tTn3+Z@!Sr0O+ password hash in the etc/default.cfg file. | MEDIUM | Oct 29, 2018 | n/a |
CVE-2018-15602 | Zyxel VMG3312 B10B devices are affected by a persistent XSS vulnerability via the pages/connectionStatus/connectionStatus-hostEntry.cmd hostname parameter. | MEDIUM | Aug 26, 2018 | n/a |
CVE-2018-19326 | Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd. | MEDIUM | Nov 17, 2018 | n/a |
CVE-2016-10227 | Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial of service (CPU consumption) via a flood of ICMPv4 Port Unreachable packets. | HIGH | Feb 23, 2017 | n/a |
CVE-2008-1527 | ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), support authentication over HTTP via a hash string in the hiddenPassword field, which allows remote attackers to obtain access via a replay attack. | High | Mar 26, 2008 | n/a |
CVE-2008-1526 | ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords. | Medium | Mar 26, 2008 | n/a |
CVE-2008-1523 | ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), allow remote authenticated users to obtain ISP and Dynamic DNS credentials by sending a direct request for (1) WAN.html, (2) wzPPPOE.html, and (3) rpDyDNS.html, and then reading the HTML source. | Medium | Mar 26, 2008 | n/a |
CVE-2008-1528 | ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), allow remote authenticated users to obtain authentication data by making direct HTTP requests and then reading the HTML source, as demonstrated by a request for (1) RemMagSNMP.html, which discloses SNMP communities; or (2) WLAN.html, which discloses WEP keys. | Medium | Mar 26, 2008 | n/a |
CVE-2008-1522 | ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), have (1) "user" as their default password for the "user" account and (2) "1234" as their default password for the "admin" account, which makes it easier for remote attackers to obtain access. | High | Mar 26, 2008 | n/a |
CVE-2008-1521 | ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), allow remote authenticated users to gain privileges by accessing administrative URIs, as demonstrated by rpSysAdmin.html. | Medium | Mar 26, 2008 | n/a |
CVE-2008-1529 | ZyXEL Prestige routers have a minimum password length for the admin account that is too small, which makes it easier for remote attackers to guess passwords via brute force methods. | Medium | Mar 26, 2008 | n/a |
CVE-2015-6020 | ZyXEL PMG5318-B20A devices with firmware 1.00AANC0b5 allow remote authenticated users to obtain administrative privileges by leveraging access to the user account. | High | Dec 31, 2015 | n/a |
CVE-2016-10401 | ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices). | HIGH | Jul 25, 2017 | n/a |
CVE-2015-6016 | ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0), PMG5318-B20A devices with firmware 1.00AANC0b5, and NBG-418N devices have a default password of 1234 for the admin account, which allows remote attackers to obtain administrative access via unspecified vectors. | High | Dec 31, 2015 | n/a |
CVE-2018-5330 | ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (router unreachable/unresponsive) via a flood of fragmented UDP packets. | HIGH | Jan 16, 2018 | n/a |
CVE-2017-17901 | ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via a flood of IP packets with a TTL of 1. | HIGH | Dec 29, 2017 | n/a |
CVE-2019-15815 | ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges. | MEDIUM | Nov 12, 2019 | n/a |
CVE-2015-7256 | ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A, VMG1312-B30A, VMG1312-B30B, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, VMG8924-B30A, and VSG1435-B101 DSL CPEs; PMG5318-B20A GPONs; SBG3300-N000, SBG3300-NB00, and SBG3500-N000 small business gateways; GS1900-8 and GS1900-24 switches; and C1000Z, Q1000, FR1000Z, and P8702N project models use non-unique X.509 certificates and SSH host keys. | MEDIUM | Sep 28, 2017 | n/a |