Search criteria
6 vulnerabilities found for zhicms by zhicms
CVE-2024-2016 (GCVE-0-2024-2016)
Vulnerability from nvd – Published: 2024-02-29 21:31 – Updated: 2024-08-01 18:56
VLAI?
Title
ZhiCms setcontroller.php index code injection
Summary
A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255270 is the identifier assigned to this vulnerability.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-94 - Code Injection
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
linyz-tel (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zhicms:zhicms:4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "zhicms",
"vendor": "zhicms",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2016",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T18:38:52.427931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:49.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-255270 | ZhiCms setcontroller.php index code injection",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.255270"
},
{
"name": "VDB-255270 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.255270"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://gist.github.com/L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ZhiCms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "linyz-tel (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255270 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in ZhiCms 4.0 gefunden. Sie wurde als kritisch eingestuft. Es betrifft die Funktion index der Datei app/manage/controller/setcontroller.php. Durch Manipulation des Arguments sitename mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T21:31:04.756Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-255270 | ZhiCms setcontroller.php index code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.255270"
},
{
"name": "VDB-255270 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.255270"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-29T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-29T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-29T15:18:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhiCms setcontroller.php index code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-2016",
"datePublished": "2024-02-29T21:31:04.756Z",
"dateReserved": "2024-02-29T14:12:42.926Z",
"dateUpdated": "2024-08-01T18:56:22.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2015 (GCVE-0-2024-2015)
Vulnerability from nvd – Published: 2024-02-29 21:00 – Updated: 2024-08-01 18:56
VLAI?
Title
ZhiCms mcontroller.php getindexdata sql injection
Summary
A vulnerability, which was classified as critical, has been found in ZhiCms 4.0. This issue affects the function getindexdata of the file app/index/controller/mcontroller.php. The manipulation of the argument key leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255269 was assigned to this vulnerability.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2015",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T19:45:04.848872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T19:45:13.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.732Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-255269 | ZhiCms mcontroller.php getindexdata sql injection",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.255269"
},
{
"name": "VDB-255269 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.255269"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://gist.github.com/L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ZhiCms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in ZhiCms 4.0. This issue affects the function getindexdata of the file app/index/controller/mcontroller.php. The manipulation of the argument key leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255269 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in ZhiCms 4.0 entdeckt. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion getindexdata der Datei app/index/controller/mcontroller.php. Durch die Manipulation des Arguments key mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T21:00:10.058Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-255269 | ZhiCms mcontroller.php getindexdata sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.255269"
},
{
"name": "VDB-255269 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.255269"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-29T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-29T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-29T15:18:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhiCms mcontroller.php getindexdata sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-2015",
"datePublished": "2024-02-29T21:00:10.058Z",
"dateReserved": "2024-02-29T14:12:40.854Z",
"dateUpdated": "2024-08-01T18:56:22.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0603 (GCVE-0-2024-0603)
Vulnerability from nvd – Published: 2024-01-16 22:00 – Updated: 2025-06-02 15:07
VLAI?
Title
ZhiCms giftcontroller.php deserialization
Summary
A vulnerability classified as critical has been found in ZhiCms up to 4.0. This affects an unknown part of the file app/plug/controller/giftcontroller.php. The manipulation of the argument mylike leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250839.
Severity ?
7.3 (High)
7.3 (High)
CWE
- CWE-502 - Deserialization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
glzjin (VulDB User)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.651Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.250839"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.250839"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/n3QsNbORUR0e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:43:25.096507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:07:05.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ZhiCms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in ZhiCms up to 4.0. This affects an unknown part of the file app/plug/controller/giftcontroller.php. The manipulation of the argument mylike leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250839."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in ZhiCms bis 4.0 entdeckt. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei app/plug/controller/giftcontroller.php. Mittels Manipulieren des Arguments mylike mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T19:12:16.921Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.250839"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.250839"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/n3QsNbORUR0e"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-01-16T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2024-01-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-06T09:18:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhiCms giftcontroller.php deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-0603",
"datePublished": "2024-01-16T22:00:07.479Z",
"dateReserved": "2024-01-16T15:41:44.262Z",
"dateUpdated": "2025-06-02T15:07:05.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2016 (GCVE-0-2024-2016)
Vulnerability from cvelistv5 – Published: 2024-02-29 21:31 – Updated: 2024-08-01 18:56
VLAI?
Title
ZhiCms setcontroller.php index code injection
Summary
A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255270 is the identifier assigned to this vulnerability.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-94 - Code Injection
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
linyz-tel (VulDB User)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zhicms:zhicms:4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "zhicms",
"vendor": "zhicms",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2016",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T18:38:52.427931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:49.912Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-255270 | ZhiCms setcontroller.php index code injection",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.255270"
},
{
"name": "VDB-255270 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.255270"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://gist.github.com/L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ZhiCms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "linyz-tel (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, was found in ZhiCms 4.0. Affected is the function index of the file app/manage/controller/setcontroller.php. The manipulation of the argument sitename leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-255270 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in ZhiCms 4.0 gefunden. Sie wurde als kritisch eingestuft. Es betrifft die Funktion index der Datei app/manage/controller/setcontroller.php. Durch Manipulation des Arguments sitename mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T21:31:04.756Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-255270 | ZhiCms setcontroller.php index code injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.255270"
},
{
"name": "VDB-255270 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.255270"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-29T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-29T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-29T15:18:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhiCms setcontroller.php index code injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-2016",
"datePublished": "2024-02-29T21:31:04.756Z",
"dateReserved": "2024-02-29T14:12:42.926Z",
"dateUpdated": "2024-08-01T18:56:22.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2015 (GCVE-0-2024-2015)
Vulnerability from cvelistv5 – Published: 2024-02-29 21:00 – Updated: 2024-08-01 18:56
VLAI?
Title
ZhiCms mcontroller.php getindexdata sql injection
Summary
A vulnerability, which was classified as critical, has been found in ZhiCms 4.0. This issue affects the function getindexdata of the file app/index/controller/mcontroller.php. The manipulation of the argument key leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255269 was assigned to this vulnerability.
Severity ?
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2015",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T19:45:04.848872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T19:45:13.577Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.732Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-255269 | ZhiCms mcontroller.php getindexdata sql injection",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.255269"
},
{
"name": "VDB-255269 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.255269"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://gist.github.com/L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ZhiCms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in ZhiCms 4.0. This issue affects the function getindexdata of the file app/index/controller/mcontroller.php. The manipulation of the argument key leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-255269 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in ZhiCms 4.0 entdeckt. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion getindexdata der Datei app/index/controller/mcontroller.php. Durch die Manipulation des Arguments key mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T21:00:10.058Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-255269 | ZhiCms mcontroller.php getindexdata sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.255269"
},
{
"name": "VDB-255269 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.255269"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/L1nyz-tel/e3ee6f3401a9d1c580be1a9b4a8afab5"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-29T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-29T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-29T15:18:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhiCms mcontroller.php getindexdata sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-2015",
"datePublished": "2024-02-29T21:00:10.058Z",
"dateReserved": "2024-02-29T14:12:40.854Z",
"dateUpdated": "2024-08-01T18:56:22.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0603 (GCVE-0-2024-0603)
Vulnerability from cvelistv5 – Published: 2024-01-16 22:00 – Updated: 2025-06-02 15:07
VLAI?
Title
ZhiCms giftcontroller.php deserialization
Summary
A vulnerability classified as critical has been found in ZhiCms up to 4.0. This affects an unknown part of the file app/plug/controller/giftcontroller.php. The manipulation of the argument mylike leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250839.
Severity ?
7.3 (High)
7.3 (High)
CWE
- CWE-502 - Deserialization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
glzjin (VulDB User)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.651Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.250839"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.250839"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/n3QsNbORUR0e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:43:25.096507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:07:05.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ZhiCms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in ZhiCms up to 4.0. This affects an unknown part of the file app/plug/controller/giftcontroller.php. The manipulation of the argument mylike leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250839."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in ZhiCms bis 4.0 entdeckt. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei app/plug/controller/giftcontroller.php. Mittels Manipulieren des Arguments mylike mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T19:12:16.921Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.250839"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.250839"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/n3QsNbORUR0e"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-01-16T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2024-01-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-02-06T09:18:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZhiCms giftcontroller.php deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-0603",
"datePublished": "2024-01-16T22:00:07.479Z",
"dateReserved": "2024-01-16T15:41:44.262Z",
"dateUpdated": "2025-06-02T15:07:05.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}