An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to a full compromise of admin accounts, when combined with the weak password generator algorithm used in the lostpassword functionality.
CWE-89
CVE-2019-12348
An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter.
CVE-2019-12349
An issue was discovered in zzcms 2019. SQL Injection exists in /admin/dl_sendsms.php via the id parameter.
CVE-2019-12350
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_download.php via an id parameter value with a trailing comma.
CVE-2019-12351
An issue was discovered in zzcms 2019. SQL Injection exists in dl/dl_print.php via an id parameter value with a trailing comma.
CVE-2019-12352
An issue was discovered in zzcms 2019. There is a SQL injection Vulnerability in /dl/dl_sendmail.php (when the attacker has dls_print authority) via a dlid cookie.
