CVE-2018-8893
published 2018-03-31CVE-2018-8893: Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
PriorityP342high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
0.46%
36.9th percentile
Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zblogcn | z-blogphp | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3j9j-2r36-985r: Z-BlogPHP 1
ghsa_unreviewed·2022-05-14
CVE-2018-8893 [HIGH] CWE-352 GHSA-3j9j-2r36-985r: Z-BlogPHP 1
Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
GHSA
GHSA-g95r-39h2-qxq6: The plugin upload component in Z-BlogPHP 1
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2018-9153 [HIGH] CWE-434 GHSA-g95r-39h2-qxq6: The plugin upload component in Z-BlogPHP 1
The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component must be accessed directly by an administrator, or through CSRF.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2018-03-31
Published