CVE-2024-10291 | THREATINT

Description

A vulnerability has been found in ZZCMS 2023 and classified as critical. This vulnerability affects the function Ebak_DoExecSQL/Ebak_DotranExecutSQL of the file 3/Ebak5.1/upload/phome.php. The manipulation of the argument phome leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

In ZZCMS 2023 wurde eine kritische Schwachstelle gefunden. Es geht um die Funktion Ebak_DoExecSQL/Ebak_DotranExecutSQL der Datei 3/Ebak5.1/upload/phome.php. Durch Manipulation des Arguments phome mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

Reserved 2024-10-23 | Published 2024-10-23 | Updated 2024-10-23 | Assigner VulDB

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

Problem types

SQL Injection

Timeline

2024-10-23:	Advisory disclosed
2024-10-23:	VulDB entry created
2024-10-23:	VulDB entry last update

Credits

LVZC (VulDB User) reporter

References

vuldb.com/?id.281560 (VDB-281560 | ZZCMS phome.php Ebak_DotranExecutSQL sql injection) vdb-entry technical-description

vuldb.com/?ctiid.281560 (VDB-281560 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.427101 (Submit #427101 | zzcms 2023 COMMAND EXECUTION) third-party-advisory

github.com/LvZCh/zzcms2023/issues/3 exploit issue-tracking

cve.org (CVE-2024-10291)

nvd.nist.gov (CVE-2024-10291)

Download JSON