CVE-2018-16344

HIGH

zzcms 8.3 - Unauthenticated Path Traversal and Arbitrary File Deletion via flv Parameter

Title source: llm

Description

An issue was discovered in zzcms 8.3. It allows remote attackers to delete arbitrary files via directory traversal sequences in the flv parameter. This can be leveraged for database access by deleting install.lock.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/cumtxujiabin/CmsPoc/blob/master/zzcms_8.3_file_del.md

View Exploit ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0189

EPSS Percentile 76.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

zzcms/zzcms 8.3

Published Sep 02, 2018

Tracked Since Feb 18, 2026