Lucene search

K

PHP Security Vulnerabilities

cve
cve

CVE-2002-1821

Ultimate PHP Board (UPB) 1.0 and 1.0b allows remote authenticated users to gain privileges and perform unauthorized actions via direct requests to (1) admin_members.php, (2) admin_config.php, (3) admin_cat.php, or (4)...

7.1AI Score

0.001EPSS

2022-10-03 04:23 PM
19
cve
cve

CVE-2002-1954

Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.2.3 allows remote attackers to inject arbitrary web script or HTML via the query string argument, as demonstrated using...

6AI Score

0.004EPSS

2022-10-03 04:23 PM
23
cve
cve

CVE-2002-1931

Cross-site scripting (XSS) vulnerability in PHP Arena paFileDB 1.1.3 and 2.1.1 allows remote attackers to inject arbitrary web script or HTML via Javascript in the search...

5.8AI Score

0.002EPSS

2022-10-03 04:23 PM
19
cve
cve

CVE-2017-17952

PHP Scripts Mall PHP Multivendor Ecommerce has a predicable registration URL, which makes it easier for remote attackers to register with an invalid or spoofed e-mail...

8.6CVSS

8.5AI Score

0.001EPSS

2022-10-03 04:23 PM
21
cve
cve

CVE-2017-17960

PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via...

8.8CVSS

8.7AI Score

0.001EPSS

2022-10-03 04:23 PM
27
cve
cve

CVE-2017-17954

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view.php usid...

6.1CVSS

6AI Score

0.001EPSS

2022-10-03 04:23 PM
20
cve
cve

CVE-2017-17959

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the seller-view.php usid...

9.8CVSS

9.9AI Score

0.002EPSS

2022-10-03 04:23 PM
20
cve
cve

CVE-2017-17951

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the shopping-cart.php cusid...

9.8CVSS

9.9AI Score

0.002EPSS

2022-10-03 04:23 PM
20
cve
cve

CVE-2017-17953

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.php chid1...

6.1CVSS

6AI Score

0.001EPSS

2022-10-03 04:23 PM
22
cve
cve

CVE-2017-17955

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-cart.php cusid...

6.1CVSS

6AI Score

0.001EPSS

2022-10-03 04:23 PM
20
cve
cve

CVE-2017-17956

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/sellerupd.php companyname...

6.1CVSS

6AI Score

0.001EPSS

2022-10-03 04:23 PM
24
cve
cve

CVE-2017-17957

PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the my_wishlist.php fid...

9.8CVSS

9.9AI Score

0.002EPSS

2022-10-03 04:23 PM
29
cve
cve

CVE-2017-17958

PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the my_wishlist.php fid...

6.1CVSS

6AI Score

0.001EPSS

2022-10-03 04:23 PM
21
cve
cve

CVE-2017-9225

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in...

9.8CVSS

9.5AI Score

0.002EPSS

2022-10-03 04:23 PM
42
cve
cve

CVE-2017-9067

In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory...

7CVSS

7.4AI Score

0.0005EPSS

2022-10-03 04:23 PM
39
cve
cve

CVE-2005-0831

PHP-Post allows remote attackers to spoof the names of other users by registering with a username containing hex-encoded...

7AI Score

0.002EPSS

2022-10-03 04:22 PM
17
cve
cve

CVE-2005-0596

PHP 4 (PHP4) allows attackers to cause a denial of service (daemon crash) by using the readfile function on a file whose size is a multiple of the page...

6.5AI Score

0.0004EPSS

2022-10-03 04:22 PM
24
cve
cve

CVE-2005-4712

CRLF injection vulnerability in process_signup.php in PHP Handicapper allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the login parameter. NOTE: the vendor has disputed CVE-2005-3497, and it is possible that the dispute was intended to include this issue as...

7.1AI Score

0.005EPSS

2022-10-03 04:22 PM
21
cve
cve

CVE-2005-3698

PHP Easy Download allows remote attackers to bypass authentication via...

7.5AI Score

0.004EPSS

2022-10-03 04:22 PM
21
cve
cve

CVE-2018-16549

HScripts PHP File Browser Script v1.0 allows Directory Traversal via the index.php path...

5.3CVSS

5.4AI Score

0.002EPSS

2022-10-03 04:22 PM
23
cve
cve

CVE-2018-19458

In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than...

7.5CVSS

7.4AI Score

0.867EPSS

2022-10-03 04:21 PM
27
cve
cve

CVE-2006-2098

PHP remote file inclusion vulnerability in Thumbnail AutoIndex before 2.0 allows remote attackers to execute arbitrary PHP code via (1) README.html or (2)...

7.7AI Score

0.004EPSS

2022-10-03 04:21 PM
22
cve
cve

CVE-2006-5706

Unspecified vulnerabilities in PHP, probably before 5.2.0, allow local users to bypass open_basedir restrictions and perform unspecified actions via unspecified vectors involving the (1) chdir and (2) tempnam functions. NOTE: the tempnam vector might overlap...

6.2AI Score

0.025EPSS

2022-10-03 04:21 PM
37
cve
cve

CVE-2006-7205

The array_fill function in ext/standard/array.c in PHP 4.4.2 and 5.1.2 allows context-dependent attackers to cause a denial of service (memory consumption) via a large num...

6.3AI Score

0.002EPSS

2022-10-03 04:21 PM
32
cve
cve

CVE-2006-7005

SQL injection vulnerability in item.php in PSY Auction allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party...

8.1AI Score

0.003EPSS

2022-10-03 04:21 PM
16
cve
cve

CVE-2010-1130

session.c in the session extension in PHP before 5.2.13, and 5.3.1, does not properly interpret ; (semicolon) characters in the argument to the session_save_path function, which allows context-dependent attackers to bypass open_basedir and safe_mode restrictions via an argument that contains...

9.3AI Score

0.032EPSS

2022-10-03 04:21 PM
91
cve
cve

CVE-2010-5053

SQL injection vulnerability in the XOBBIX (com_xobbix) component 1.0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the prodid parameter in a prod_desc action to...

8.6AI Score

0.003EPSS

2022-10-03 04:21 PM
22
cve
cve

CVE-2010-1861

The sysvshm extension for PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to write to arbitrary memory addresses by using an object's __sleep function to interrupt an internal call to the shm_put_var function, which triggers access of a freed...

9.4AI Score

0.002EPSS

2022-10-03 04:21 PM
32
cve
cve

CVE-2010-1868

The (1) sqlite_single_query and (2) sqlite_array_query functions in ext/sqlite/sqlite.c in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to execute arbitrary code by calling these functions with an empty SQL query, which triggers access of uninitialized...

9.8AI Score

0.008EPSS

2022-10-03 04:21 PM
59
cve
cve

CVE-2014-8294

Multiple SQL injection vulnerabilities in Voice Of Web AllMyGuests 0.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) allmyphp_cookie cookie to admin.php or the (2) Username or (3)...

8.8AI Score

0.001EPSS

2022-10-03 04:20 PM
21
cve
cve

CVE-2014-8293

Cross-site scripting (XSS) vulnerability in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to inject arbitrary web script or HTML via the AMG_signin_topic parameter to...

5.9AI Score

0.001EPSS

2022-10-03 04:20 PM
20
cve
cve

CVE-2015-8878

main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file...

5.9CVSS

5.8AI Score

0.001EPSS

2022-10-03 04:16 PM
58
cve
cve

CVE-2015-8880

Double free vulnerability in the format printer in PHP 7.x before 7.0.1 allows remote attackers to have an unspecified impact by triggering an...

9.8CVSS

9.4AI Score

0.004EPSS

2022-10-03 04:16 PM
466
cve
cve

CVE-2003-1254

Active PHP Bookmarks (APB) 1.1.01 allows remote attackers to execute arbitrary PHP code via (1) head.php, (2) apb_common.php, or (3) apb_view_class.php by modifying the APB_SETTINGS parameter to reference a URL on a remote web server that contains the...

7.7AI Score

0.003EPSS

2022-10-03 04:15 PM
17
cve
cve

CVE-2011-3772

phpCollab 2.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by topics/noti_newtopic.php and certain other...

6.3AI Score

0.002EPSS

2022-10-03 04:15 PM
21
cve
cve

CVE-2013-2220

Buffer overflow in the radius_get_vendor_attr function in the Radius extension before 1.2.7 for PHP allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large Vendor Specific Attributes (VSA) length...

8AI Score

0.02EPSS

2022-10-03 04:14 PM
34
cve
cve

CVE-2013-4636

The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo...

5.6AI Score

0.002EPSS

2022-10-03 04:14 PM
44
cve
cve

CVE-2013-5931

SQL injection vulnerability in property_listings_detail.php in Real Estate PHP Script allows remote attackers to execute arbitrary SQL commands via the listingid...

8.8AI Score

0.001EPSS

2022-10-03 04:14 PM
22
cve
cve

CVE-2007-2679

PHP file inclusion vulnerability in index.php in Ivan Peevski gallery 0.3 in Simple PHP Scripts (sphp) allows remote attackers to execute arbitrary PHP code via a UNC share pathname or a local file pathname in the gallery parameter, which is accessed by the file_exists function. NOTE: the...

7.2AI Score

0.005EPSS

2022-10-03 04:14 PM
24
cve
cve

CVE-2007-1452

The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement the input filtering hooks for ext/filter, which allows remote attackers to bypass web site filters via an application/vnd.fdf formatted...

6.5AI Score

0.003EPSS

2022-10-03 04:14 PM
37
cve
cve

CVE-2007-3627

Multiple SQL injection vulnerabilities in PHP Lite Calendar Express 2.2 allow remote attackers to execute arbitrary SQL commands via the cid parameter to (1) login.php, (2) auth.php, and (3) subscribe.php. NOTE: the month.php, year.php, week.php, and day.php vectors are already covered by...

8.1AI Score

0.002EPSS

2022-10-03 04:14 PM
22
cve
cve

CVE-2004-2718

PHPMyChat 0.14.5 does not remove or protect setup.php3 after installation, which allows attackers to obtain sensitive information including database passwords via a direct...

6.4AI Score

0.016EPSS

2022-10-03 04:14 PM
17
cve
cve

CVE-2008-0645

Multiple PHP remote file inclusion vulnerabilities in Portail Web Php 2.5.1.1 allow remote attackers to execute arbitrary PHP code via a URL in the site_path parameter to (1) config/conf-activation.php, (2) menu/item.php, and (3) modules/conf_modules.php in admin/system/; and (4)...

7.3AI Score

0.013EPSS

2022-10-03 04:14 PM
19
cve
cve

CVE-2008-7002

PHP 5.2.5 does not enforce (a) open_basedir and (b) safe_mode_exec_dir restrictions for certain functions, which might allow local users to bypass intended access restrictions and call programs outside of the intended directory via the (1) exec, (2) system, (3) shell_exec, (4) passthru, or (5)...

6.6AI Score

0.0004EPSS

2022-10-03 04:13 PM
34
cve
cve

CVE-2022-3152

Unverified Password Change in GitHub repository phpfusion/phpfusion prior to...

8.8CVSS

8.7AI Score

0.001EPSS

2022-09-07 03:15 PM
24
5
cve
cve

CVE-2017-20128

A vulnerability has been found in KB Messages PHP Script 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument username/password with the input 'or''=' leads to sql injection. The attack can be launched remotely. The exploit...

9.8CVSS

9.7AI Score

0.005EPSS

2022-07-13 06:15 PM
22
4
cve
cve

CVE-2022-30478

Ecommerce-project-with-php-and-mysqli-Fruits-Bazar 1.0 is vulnerable to SQL Injection in \search_product.php via the keyword...

9.8CVSS

9.8AI Score

0.002EPSS

2022-06-02 02:15 PM
39
3
cve
cve

CVE-2022-30482

Ecommerce-project-with-php-and-mysqli-Fruits-Bazar- 1.0 is vulnerable to Cross Site Scripting (XSS) in \admin\add_cata.php via the ctg_name...

4.8CVSS

4.8AI Score

0.001EPSS

2022-06-02 02:15 PM
37
5
cve
cve

CVE-2022-28081

A reflected cross-site scripting (XSS) vulnerability in the component Query.php of arPHP v3.6.0 allows attackers to execute arbitrary web...

6.1CVSS

5.9AI Score

0.001EPSS

2022-05-04 02:15 PM
54
2
cve
cve

CVE-2022-27157

pearweb < 1.32 is suffers from a Weak Password Recovery Mechanism via...

9.8CVSS

9.3AI Score

0.002EPSS

2022-04-15 06:15 PM
42
Total number of security vulnerabilities1262