CVE-2015-7347

MEDIUM

ZCMS 1.1 - Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7347. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This exploit demonstrates SQL injection and persistent XSS vulnerabilities in ZCMS 1.1. It includes payloads to bypass admin authentication and inject malicious scripts into the database or comment fields.

Description

Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1.

Exploits (1)

exploitdb WORKING POC VERIFIED

by hyp3rlinx · textwebappsjsp

https://www.exploit-db.com/exploits/37272

View Code ZIP pw:eip

This exploit demonstrates SQL injection and persistent XSS vulnerabilities in ZCMS 1.1. It includes payloads to bypass admin authentication and inject malicious scripts into the database or comment fields.

Classification

Working Poc 90%

Attack Type

Sqli | Xss | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: ZCMS 1.1

No auth needed

Prerequisites: Access to the login page · Basic knowledge of SQL injection and XSS

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/132286/ZCMS-1.1-Cross-Site-Scripting-SQL-Injection.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/37272/

Scores

CVSS v3 4.8

EPSS 0.0111

EPSS Percentile 61.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

zcms_project/zcms 1.1

Published Sep 20, 2017

Tracked Since Feb 18, 2026