An issue exists in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.
zzcms zzcms 8.2