CVE-2024-10291

MEDIUM

ZZCMS 2023 - SQL Injection via phome Parameter in Ebak_DoExecSQL/Ebak_DotranExecutSQL

Title source: llm
STIX 2.1

Description

A vulnerability has been found in ZZCMS 2023 and classified as critical. This vulnerability affects the function Ebak_DoExecSQL/Ebak_DotranExecutSQL of the file 3/Ebak5.1/upload/phome.php. The manipulation of the argument phome leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

References (4)

Core 4
Core References
Third Party Advisory vdb-entry technical-description
https://vuldb.com/?id.281560
Permissions Required, Third Party Advisory signature permissions-required
https://vuldb.com/?ctiid.281560
Third Party Advisory third-party-advisory
https://vuldb.com/?submit.427101
Broken Link exploit issue-tracking
https://github.com/LvZCh/zzcms2023/issues/3

Scores

CVSS v3 6.3
EPSS 0.0047
EPSS Percentile 37.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
zzcms/zzcms 2023
Published Oct 23, 2024
Tracked Since Feb 18, 2026