CVE-2013-3214

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'...

CVE-2013-3214

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'...

CVE-2013-2267

FUDforum 3.0.4 and earlier are affected by a PHP code injection in /adm/admreplace.php due to insufficient validation of POST parameters regex_str, regex_str_opt and regex_with, allowing remote attackers to inject and execute arbitrary PHP code on the server with web server privileges (CWE-94). T...

CVE-2012-6649

WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute arbitrary PHP code via improper file upload...

Unrestricted file upload

WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute arbitrary PHP code via improper file upload...

Path traversal

A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users'photoppreview' delete photo feature, allowing bypass of .htaccess protection...

Design/Logic Flaw

The CSV upload feature in /supervisor/procesacarga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/ content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI...

CVE-2019-20385

The CSV upload feature in /supervisor/procesacarga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/ content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI...

AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the loginerror function. This exploit is out in the wild now and actively being exploited. PoC curl -Ls http://www.example.com/login/?loginerror=%3C?%20$a%20=%20getcwd;%20echo%20$a;%20?%3E...

AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the loginerror function. This exploit is out in the wild now and actively being exploited. curl -Ls http://www.example.com/login/?loginerror=%3C?%20$a%20=%20getcwd;%20echo%20$a;%20?%3E...

WordPress InfiniteWP Client Authentication Bypass

This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGINFILE. The module will attempt to retrieve the original PLUGINFILE contents and restore them after payload...

CVE-2020-5505

Freelancy v1.0.0 allows remote command execution via the "file":"data:application/x-php;base64 substring in conjunction with "type":"application/x-php" to the /api/files/ URI...

CVE-2012-2950

Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information...

Design/Logic Flaw

uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension...

Design/Logic Flaw

Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information...

CVE-2019-20183

CVE-2019-20183 affects the Simple Employee Records System 1.0. The vulnerability is an arbitrary file upload flaw in uploadimage.php caused by client-side validation of file extensions, allowing an attacker to upload executable PHP code by bypassing validation (e.g., via modifying global.js). Thi...

CVE-2019-20183

uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension...

CVE-2012-2931

PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file...

CVE-2012-2950

Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information...

ProFTPD 'mod_copy' Arbitrary File Copy Vulnerability (Remote)

The remote host is running ProFTPD. It is affected by a vulnerability in the modcopy module which fails to honor and configurations as expected. An unauthenticated, remote attacker can exploit this, by using the modcopy module's functionality, in order to copy arbitrary files in the FTP directory...