2593 matches found
CVE-2011-3700
Advanced Electron Forum AEF 1.0.8 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by languages/english/deletetopiclang.php...
CVE-2011-3717
ClipBucket 2.0.9 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by plugins/signupcaptcha/signupcaptcha.php and certain other files...
CVE-2011-3706
ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/toolsettings.inc.php and certain other files...
CVE-2015-5467
web\ViewAction in Yii aka Yii2 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter...
CVE-2019-13979
In Directus 7 API before 2.2.1, uploading of PHP files is not blocked, leading to uploads//originals remote code execution...
CVE-2019-9106
The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to execute or include local .php files, as demonstrated by menu=php://filter/convert.base64-encode/resource=index.php to read index.php...
CVE-2019-8933
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory without being blocked by the Web Application Firewall, and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on...
CVE-2019-8154
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update...
CVE-2019-13414
The Rencontre plugin before 3.1.3 for WordPress allows XSS via inc/rencontrewidget.php...
CVE-2019-10652
An issue was discovered in flatCore 1.4.7. acp/acp.php allows remote authenticated administrators to upload arbitrary .php files, related to the addons feature...
CVE-2018-16549
HScripts PHP File Browser Script v1.0 allows Directory Traversal via the index.php path parameter...
CVE-2019-1010178
Fred MODX Revolution 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is:...
CVE-2018-13024
Metinfo v6.0.0 allows remote attackers to write code into a .php file, and execute that code, via the module parameter to admin/column/save.php in an editor upload action...
CVE-2012-5699
BabyGekko before 1.2.4 allows PHP file inclusion...
CVE-2013-4857
D-Link DIR-865L has PHP File Inclusion in the router xml file...
CVE-2017-11404
In CMS Made Simple CMSMS 2.2.2, remote authenticated administrators can upload a .php file via a FileManager action to admin/moduleinterface.php...
CVE-2011-3704
appRain 0.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by cron.php...
CVE-2011-3800
Serendipity 1.5.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by templates/newspaper/layout.php and certain other files...
CVE-2019-13980
In Directus 7 API through 2.3.0, uploading of PHP files is blocked only when the Apache HTTP Server is used, leading to uploads//originals remote code execution with nginx...
CVE-2011-3751
LifeType 1.2.10 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by plugins/badbehavior/pluginbadbehavior.class.php...