Login Sign Up

CVE-2019-1010151

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2019-1010151 is a critical file deletion vulnerability in zzcms (zzmcms) that allows attackers to delete arbitrary files and achieve remote code execution (getshell). This affects zzcms versions 8.3 and earlier, potentially compromising websites using this content management system.

💻 Affected Systems

Products:
  • zzcms
  • zzmcms
Versions: 8.3 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /user/ppsave.php component specifically. Requires web server write permissions to vulnerable directories.

📦 What is this software?

Zzmcms by Zzcms

View all CVEs affecting Zzmcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the web server, data theft, defacement, and lateral movement to other systems.

🟠

Likely Case

Website defacement, data manipulation, installation of backdoors, and credential theft from the compromised CMS.

🟢

If Mitigated

Limited impact with proper file permissions, web application firewalls, and restricted user access preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to the CMS, but the vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4 or later

Vendor Advisory: Not publicly documented

Restart Required: No

Instructions:

1. Backup current installation and database. 2. Download latest version from official source. 3. Replace all files except configuration and upload directories. 4. Run any database update scripts if provided.

🔧 Temporary Workarounds

Restrict file permissions

linux

Set strict file permissions on web directories to prevent unauthorized file deletion

chmod 644 /path/to/zzcms/user/ppsave.php
chmod 755 /path/to/zzcms/user/

Web Application Firewall rule

all

Block access to vulnerable endpoint or filter malicious requests

# Example mod_security rule: SecRule REQUEST_URI "@contains /user/ppsave.php" "id:1001,deny,status:403"

🧯 If You Can't Patch

  • Disable or remove the /user/ppsave.php file entirely
  • Implement strict authentication controls and monitor access to vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check if /user/ppsave.php exists and review version in CMS admin panel or configuration files

Check Version:

grep -r 'version\|Version' /path/to/zzcms/ | head -5

Verify Fix Applied:

Verify version is 8.4+ and test that file deletion functionality is properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /user/ppsave.php
  • File deletion operations in web server logs
  • Multiple failed authentication attempts followed by ppsave.php access

Network Indicators:

  • HTTP POST requests to /user/ppsave.php with file path parameters
  • Unusual outbound connections from web server after exploitation

SIEM Query:

source="web_server" AND uri="/user/ppsave.php" AND (method="POST" OR status=200)

📊 Metadata

CVE ID: CVE-2019-1010151
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: July 19, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-1010151, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)