Description
Duplicated
CVE-2018-7737
Author: @ponyma233
Detail: https://github.com/ponyma233/cms/blob/master/Z-Blog_1.5.1.1740_bugs.md (Deleted at 16/Feb)
Detail: https://packetstormsecurity.com/files/147063/Z-Blog-1.5.1.1740-Full-Path-Disclosure.html
Duplicated with CVE-2018-6846. We fixed them after CVE-2018-6846 confirmed. See: 7f09eb1
CVE-2018-7736
Author: @ponyma233
Detail: https://github.com/ponyma233/cms/blob/master/Z-Blog_1.5.1.1740_bugs.md
Detail: https://packetstormsecurity.com/files/147066/Z-Blog-1.5.1.1740-Cross-Site-Scripting.html
As same as CVE-2018-10680 and CVE-2018-11208. We decline to accept it as a valid issue. If you get the admin privilege, we have so many self-xss ways.
Useless
CVE-2018-10680
Author: @Oran9e
Detail: #185
We declined to accept a self-xss with admin privilege.
CVE-2018-11208
Author: @Jayway007
Detail: #187
We declined to accept a self-xss with admin privilege.
Fake
CVE-2018-19556
Author: @novysodope
Detail: https://github.com/novysodope/Z-BlogPHP1.5Zero/commit/49b1b99d2df0fd2a3ae61655b516a1c6bc998b57
It's Adobe's bug, not us. As him said, see CVE-2017-1125 and CVE-2018-4901.
CVE-2018-19463
Author: @novysodope
Detail: https://github.com/novysodope/Z-BlogPHP1.5Zero/commit/8526931c1e5fbe185740d91f9b286c38d3401445
It's fake. We have no dynamic including. No one can run PHP by uploading an image in current version. By the way, it needs authentication.
CVE-2018-11209
Author: @Jayway007
Detail: #188
It's a joke. I laughed.