Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Zblogcn Subscribe
Total 19 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-40357 1 Zblogcn 1 Z-blogphp 2022-09-22 N/A 9.8 CRITICAL
A security issue was discovered in Z-BlogPHP <= 1.7.2. A Server-Side Request Forgery (SSRF) vulnerability in the zb_users/plugin/UEditor/php/action_crawler.php file allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter.
CVE-2020-29176 1 Zblogcn 1 Z-blogphp 2021-12-06 6.8 MEDIUM 7.8 HIGH
An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file.
CVE-2020-29177 1 Zblogcn 1 Z-blogphp 2021-12-03 6.4 MEDIUM 9.1 CRITICAL
Z-BlogPHP v1.6.1.2100 was discovered to contain an arbitrary file deletion vulnerability via \app_del.php.
CVE-2020-18268 1 Zblogcn 1 Z-blogphp 2021-06-15 5.8 MEDIUM 6.1 MEDIUM
Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers to obtain sensitive information via the "redirect" parameter in the component "zb_system/cmd.php."
CVE-2020-23352 1 Zblogcn 1 Z-blogphp 2021-02-04 5.0 MEDIUM 7.5 HIGH
Z-BlogPHP 1.6.0 Valyria is affected by incorrect access control. PHP loose comparison and a magic hash can be used to bypass authentication. zb_user/plugin/passwordvisit/include.php:passwordvisit_input_password() uses loose comparison to authenticate, which can be bypassed via magic hash values.
CVE-2018-11209 1 Zblogcn 1 Z-blogphp 2019-10-02 4.0 MEDIUM 7.2 HIGH
** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. zb_system/cmd.php?act=verify relies on MD5 for the password parameter, which might make it easier for attackers to bypass intended access restrictions via a dictionary or rainbow-table attack. NOTE: the vendor declined to accept this as a valid issue.
CVE-2018-18381 1 Zblogcn 1 Z-blogphp 2019-09-23 3.5 LOW 5.4 MEDIUM
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-10680 1 Zblogcn 1 Z-blogphp 2019-04-17 4.3 MEDIUM 6.1 MEDIUM
** DISPUTED ** Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug."
CVE-2018-19556 1 Zblogcn 1 Z-blogphp 2019-04-16 4.3 MEDIUM 4.3 MEDIUM
** DISPUTED ** zb_system/admin/index.php?act=UploadMng in Z-BlogPHP 1.5 mishandles file preview, leading to content spoofing. NOTE: the software maintainer disputes that this is a vulnerability.
CVE-2018-7736 1 Zblogcn 1 Z-blogphp 2019-04-16 4.3 MEDIUM 6.1 MEDIUM
** DISPUTED ** In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability.
CVE-2018-11208 1 Zblogcn 1 Z-blogphp 2019-04-16 3.5 LOW 4.8 MEDIUM
** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a persistent XSS that allows remote attackers to inject arbitrary web script or HTML into background web site settings via the "copyright information office" field. NOTE: the vendor indicates that the product was not intended to block this type of XSS by a user with the admin privilege.
CVE-2018-7737 1 Zblogcn 1 Z-blogphp 2019-04-16 5.0 MEDIUM 5.3 MEDIUM
** DISPUTED ** In Z-BlogPHP 1.5.1.1740, there is Web Site physical path leakage, as demonstrated by admin_footer.php or admin_footer.php. NOTE: the software maintainer disputes that this is a vulnerability.
CVE-2018-19463 1 Zblogcn 1 Z-blogphp 2019-03-06 6.5 MEDIUM 8.8 HIGH
** DISPUTED ** zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOTE: The vendor's position is "We have no dynamic including. No one can run PHP by uploading an image in current version." It also requires authentication.
CVE-2018-18842 1 Zblogcn 1 Z-blogphp 2019-01-09 6.8 MEDIUM 8.8 HIGH
CSRF exists in zb_users/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 (Zero), which allows remote attackers to execute arbitrary PHP code.
CVE-2018-9153 1 Zblogcn 1 Z-blogphp 2018-05-23 6.5 MEDIUM 7.2 HIGH
The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directly by an administrator, or through CSRF.
CVE-2018-9169 1 Zblogcn 1 Z-blogphp 2018-05-18 3.5 LOW 4.8 MEDIUM
Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF.
CVE-2018-8893 1 Zblogcn 1 Z-blogphp 2018-05-01 6.8 MEDIUM 8.8 HIGH
Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
CVE-2018-6656 1 Zblogcn 1 Z-blogphp 2018-03-13 5.8 MEDIUM 6.5 MEDIUM
Z-BlogPHP 1.5.1 has CSRF via zb_users/plugin/AppCentre/app_del.php, as demonstrated by deleting files and directories.
CVE-2018-6846 1 Zblogcn 1 Z-blogphp 2018-03-08 5.0 MEDIUM 5.3 MEDIUM
Z-BlogPHP 1.5.1 allows remote attackers to discover the full path via a direct request to zb_system/function/lib/upload.php.