SQL injection vulnerability in security.php in ZeusCMS 0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Referer HTTP header.

Absolute path traversal vulnerability in ZeusCMS 0.3 and earlier might allow remote attackers to list arbitrary directories via a full pathname in the dir parameter.

Cross-site scripting (XSS) vulnerability in Zeus Administration Server in Zeus Web Server 4.0 through 4.1r2 allows remote authenticated users to inject arbitrary web script or HTML via the section parameter to index.fcgi.

Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL.

Zeus web server allows remote attackers to read arbitrary files by specifying the file name in an option to the search engine.

The Zeus web server administrative interface uses weak encryption for its passwords.