cbcvebase.
CVE-2019-9041
published 2019-02-23

CVE-2019-9041: An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP…

PriorityP258high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
31.42%
98.1th percentile
An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.

Affected

1 ranges
VendorProductVersion rangeFixed in
zzzcmszzzphp

Detection & IOCsextracted from sources · hover to see the quote

path/inc/zzz_template.php
command{if:assert($_POST[x])}phpinfo();{end if}
commandkeys={if:array_map(base_convert(27440799224,10,32),array(1))}{end if}
sigma
matchers:
- type: dsl
  dsl:
  - 'status_code_2 == 200'
  - '!contains(body_1, "phpinfo")'
  - 'contains_all(body_2, "phpinfo","PHP Version")'
  condition: and
  • Detect the 'if:assert' substring in HTTP request bodies or template files, as this is the specific bypass pattern exploiting the weak filtering in parserIfLabel().
  • Monitor for CSRF-based POST requests that write template content containing '{if:' blocks to the ZZZCMS admin panel template editor, which can chain into RCE without direct admin credentials.
  • Flag responses to POST /search/ that contain both 'phpinfo' and 'PHP Version' in the body, as this indicates successful code execution via the template injection vulnerability.
  • Inspect template files (e.g., search.html) in ZZZCMS installations for the presence of '{if:assert(...)}{end if}' or similar dynamic PHP evaluation constructs injected by an attacker.
  • ·The RCE exploit (CVE-2019-9041) in its basic form requires authenticated access to the admin panel to edit templates; however, it can be chained with the CSRF vulnerability (CVE-2019-9082) to achieve unauthenticated exploitation.
  • ·The vulnerability affects ZZZCMS zzzphp version 1.6.1 specifically; the nuclei template targets POST /search/ with Content-Type: application/x-www-form-urlencoded and requires two sequential requests to confirm exploitation.
  • ·The vulnerability is confirmed to affect both Windows and Linux environments running IIS or Apache web servers.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.