Login Sign Up

CVE-2019-12354

7.2 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in zzcms 2019 allows authenticated administrators to execute arbitrary SQL commands through the /admin/showbad.php endpoint via the id parameter. Attackers with admin privileges can exploit this to manipulate or extract database content. Only zzcms 2019 installations with admin accounts are affected.

💻 Affected Systems

Products:
  • zzcms
Versions: 2019 version
Operating Systems: Any OS running zzcms (typically Linux/Windows web servers)
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin authentication to access /admin/showbad.php endpoint. Default admin accounts if not changed increase risk.

📦 What is this software?

Zzcms by Zzcms

View all CVEs affecting Zzcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, or potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, modification of application data, or extraction of sensitive information from the database.

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, and restricted admin account access.

🌐 Internet-Facing: MEDIUM - Requires admin authentication but internet-facing admin panels increase exposure.
🏢 Internal Only: MEDIUM - Internal attackers with admin credentials or compromised admin accounts can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials. SQL injection via id parameter is straightforward for attackers with access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions of zzcms (post-2019)

Vendor Advisory: https://github.com/cby234/zzcms/issues/5

Restart Required: No

Instructions:

1. Upgrade to latest zzcms version. 2. Apply input validation and parameterized queries to /admin/showbad.php. 3. Review and secure admin authentication mechanisms.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize id parameter before processing

Modify showbad.php to validate id parameter as integer: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

Access Restriction

linux

Restrict access to /admin/showbad.php to specific IP addresses

Add to .htaccess: Order Deny,Allow\nDeny from all\nAllow from 192.168.1.0/24

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block SQL injection patterns
  • Disable or remove the /admin/showbad.php endpoint if not required

🔍 How to Verify

Check if Vulnerable:

Test /admin/showbad.php?id=1' OR '1'='1 with admin credentials to see if SQL error occurs

Check Version:

Check zzcms version in admin panel or readme files

Verify Fix Applied:

Test same payload after fix - should return error message or no SQL errors

📡 Detection & Monitoring

Log Indicators:

  • SQL error messages in web server logs
  • Multiple requests to /admin/showbad.php with unusual id parameters

Network Indicators:

  • SQL injection patterns in HTTP requests to admin endpoints

SIEM Query:

source="web_logs" AND uri="/admin/showbad.php" AND (query="*'*" OR query="*OR*" OR query="*UNION*" OR query="*SELECT*" OR query="*FROM*")

📊 Metadata

CVE ID: CVE-2019-12354
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12354, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)