CVE-2004-1929

Affected software : PHP-Nuke 6.x through 7.2. Vulnerability : SQL injection in the bblogin function (functions.php) that allows remote attackers to bypass authentication by injecting base64-encoded SQL into the user parameter. Root cause : Improper handling/validation of user input in the login p...

CVE-2004-1842

PHP-Nuke 6.x through 7.1.0 is affected by a CSRF that lets an attacker gain administrative privileges via an image tag pointing to admin.php. The PT-2004-2741 entry confirms the issue and recommends upgrading to a version containing the fix; no specific fixed version is provided in the sources.

CVE-2004-2019

The CVE-2004-2019 entry concerns the WebLinks module of Php-Nuke 6.x–7.3. The vulnerability arises from an invalid show parameter in the WebLinks module, which allows remote attackers to obtain sensitive information by triggering a PHP error that reveals the full filesystem path. Affected softwar...

CVE-2004-2020

CVE-2004-2020 affects Php-Nuke 6.x through 7.3. The vulnerability is a set of cross-site scripting (XSS) flaws that allow remote attackers to inject arbitrary HTML or scripts via user-supplied input in specific parameters: optionbox (News module), date (Statistics module), year/month/month_1 (Sto...

CVE-2004-1829

Affected product: Gijza.net Error Manager 2.1 for PHP-Nuke 6.0. Vulnerability: multiple cross-site scripting (XSS) in error.php, exploitable via the pagetitle, error, or certain error-log parameters. Root cause: insufficient input validation in error handling leading to injection of arbitrary web...

CVE-2004-1971

The CVE-2004-1971 entry concerns PHP-Nuke Video Gallery Module 0.1 Beta 5. a vulnerability where remote attackers can cause an error message by issuing HTTP requests with invalid catid or clipid parameters, causing disclosure of the full server path. Affected component: PHP-Nuke Video Gallery Mod...

CVE-2004-1932

This CVE (CVE-2004-1932) affects PHP-Nuke 6.x through 7.2, with a SQL injection in auth.php and admin.php. The underlying flaw allows remote attackers to inject SQL and create an administrator account via base64-encoded SQL in the admin parameter. The connected sources confirm the vulnerable comp...

CVE-2004-1841

CVE-2004-1841 concerns a SQL injection in MS Analysis module 2.0 for PHP-Nuke, allowing remote attackers to execute arbitrary SQL via the Referer header in an HTTP request. The available documents identify the affected component and the general vulnerability class but do not provide version-speci...

CVE-2004-1840

CVE-2004-1840 affects the MS Analysis module 2.0 for PHP-Nuke. The vulnerability is multiple cross-site scripting (XSS) flaws that allow remote attackers to inject arbitrary JavaScript/HTML via (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to mo...

CVE-2004-1818

CVE-2004-1818 describes a cross-site scripting (XSS) vulnerability in the nmimage.php script of 4nalbum 0.92 running on PHP-Nuke 6.5–7.0. Attackers can inject arbitrary script via the z parameter to execute code in the context of other users. The provided documents do not specify exploit details,...

CVE-2004-1959

The CVE-2004-1959 entry affects Protector System 1.15b1 for PHP-Nuke, where blocker_query.php exposes sensitive path information through the portNum parameter in an error message. This is a remote information-disclosure vulnerability that allows attackers to learn server filesystem paths. The ava...

CVE-2004-1817

This CVE affects Php-Nuke 7.1.0, where a cross-site scripting (XSS) vulnerability exists in modules.php. The issue allows an attacker to inject arbitrary web script or HTML through user-supplied input in multiple fields: Your Name, e-mail, nicname, fname, ratenum, and search. The root cause is im...

CVE-2004-2044

CVE-2004-2044 affects PHP-Nuke 7.3 and related products that use the PHP-Nuke codebase (e.g., Nuke Cops betaNC bundle, OSCNukeLite 3.1, OSC2Nuke 7x). It arises from improper use of eregi() with $_SERVER['PHP_SELF'] to identify the calling script, enabling remote attackers to directly access scrip...

CVE-2004-1913

The CVE-2004-1913 entry documents a cross-site scripting (XSS) vulnerability in the NukeCalendar 1.1.a module (as used in PHP-Nuke), exploitable via the eid parameter in modules.php. This allows remote attackers to inject arbitrary web script or HTML. The available references confirm the affected...

CVE-2004-1912

The CVE-2004-1912 issue affects NukeCalendar 1.1.a (as used in PHP-Nuke). The (1) modules.php, (2) block-Calendar.php, (3) block-Calendar1.php, and (4) block-Calendar_center.php scripts can disclose the full filesystem path via an error message when a URL with an invalid argument is requested. Th...

CVE-2004-1830

CVE-2004-1830 : The error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive information by supplying invalid (language, newlang, or lang) parameters, which leaks the pathname in a PHP error message. This is a information-disclosure issue affecting the specified...

CVE-2004-1959

blockerquery.php in Protector System 1.15b1 for PHP-Nuke allows remote attackers to gain sensitive information via a string in the portNum parameter, which reveals the full path in an error message...

CVE-2004-2019

The WebLinks module in Php-Nuke 6.x through 7.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which displays the full path in a PHP error message...

CVE-2004-2018

PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x through 7.3 allows remote attackers to execute arbitrary PHP code by modifying the modpath parameter to reference a URL on a remote web server that contains the code...

CVE-2004-2018

Php-Nuke 6.x–7.3 is affected by a PHP remote file inclusion vulnerability in index.php, exploitable by altering the modpath parameter to reference a URL on a remote server containing malicious code, enabling remote code execution. The initial documents do not provide specific remediation steps or...