| tiêu đề | zzcms zzcms2025 Command Injection |
|---|
| Mô tả | ZZCMS 2025 version has a remote code execution vulnerability in the backend website settings module. An authenticated administrator can inject malicious PHP code by modifying the "ICP" field, thereby achieving remote code execution on the server.
The vulnerability exists in the website configuration management function (`/admin/siteconfig.php`). When the administrator saves the website configuration, the `icp` parameter is processed by the `stripfxg()` function, which reverses the escaping done by `addfxg()`. This allows an attacker to inject PHP code, which is written to `/inc/config.php` and executed when any page is accessed. |
|---|
| Nguồn | ⚠️ https://note-hxlab.wetolink.com/share/ekNgcv2wVBya |
|---|
| Người dùng | airrudder (UID 25092) |
|---|
| Đệ trình | 10/12/2025 07:38 (cách đây 6 các tháng) |
|---|
| Kiểm duyệt | 17/12/2025 16:49 (7 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 336987 [ZZCMS 2025 Backend Website Settings /admin/siteconfig.php stripfxg icp nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|