Lucene search

K

PHP Security Vulnerabilities

cve
cve

CVE-2022-27158

pearweb < 1.32 suffers from Deserialization of Untrusted...

9.8CVSS

9.3AI Score

0.002EPSS

2022-04-15 06:15 PM
37
cve
cve

CVE-2022-26613

PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability via the category parameter in...

9.8CVSS

9.7AI Score

0.002EPSS

2022-04-06 09:15 PM
51
cve
cve

CVE-2021-21708

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially...

9.8CVSS

9.3AI Score

0.003EPSS

2022-02-27 08:15 AM
1014
2
cve
cve

CVE-2014-8597

A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin...

6.1CVSS

5.9AI Score

0.001EPSS

2022-02-17 08:15 PM
41
cve
cve

CVE-2022-24665

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit...

9.9CVSS

8.6AI Score

0.001EPSS

2022-02-16 05:15 PM
91
cve
cve

CVE-2022-24664

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress metaboxes, which could be used by any user able to edit...

9.9CVSS

8.7AI Score

0.001EPSS

2022-02-16 05:15 PM
166
cve
cve

CVE-2022-24663

PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated...

9.9CVSS

8.7AI Score

0.001EPSS

2022-02-16 05:15 PM
222
cve
cve

CVE-2021-40909

Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, and email parameters to...

9.6CVSS

8.7AI Score

0.004EPSS

2022-01-24 04:15 PM
24
cve
cve

CVE-2021-41472

SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password...

9.8CVSS

10AI Score

0.002EPSS

2022-01-24 04:15 PM
22
cve
cve

CVE-2021-43678

Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in...

6.1CVSS

5.9AI Score

0.001EPSS

2021-12-17 01:15 PM
42
cve
cve

CVE-2021-26800

Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary...

6.5CVSS

6.6AI Score

0.001EPSS

2021-12-16 08:15 PM
32
cve
cve

CVE-2021-42078

PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. This can be exploited by an adversary in multiple ways, e.g., to perform actions on the page in the context of other users, or to deface the...

6.1CVSS

6AI Score

0.001EPSS

2021-11-08 05:15 AM
21
cve
cve

CVE-2020-18263

PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability in the component search.php via the search parameter. This vulnerability allows attackers to access sensitive database...

7.5CVSS

7.6AI Score

0.002EPSS

2021-11-03 06:15 PM
16
cve
cve

CVE-2020-23754

Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to execute arbitrary code, via the polls...

9.6CVSS

8.5AI Score

0.004EPSS

2021-11-02 06:15 PM
13
cve
cve

CVE-2021-40189

PHPFusion 9.03.110 is affected by a remote code execution vulnerability. The theme function will extract a file to "webroot/themes/{Theme Folder], where an attacker can access and execute arbitrary...

7.2CVSS

7.5AI Score

0.002EPSS

2021-10-11 07:15 PM
23
cve
cve

CVE-2021-40188

PHPFusion 9.03.110 is affected by an arbitrary file upload vulnerability. The File Manager function in admin panel does not filter all PHP extensions such as ".php, .php7, .phtml, .php5, ...". An attacker can upload a malicious file and execute code on the...

7.2CVSS

7.2AI Score

0.001EPSS

2021-10-11 07:15 PM
21
cve
cve

CVE-2021-40541

PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of...

6.1CVSS

5.7AI Score

0.001EPSS

2021-10-11 02:15 PM
22
cve
cve

CVE-2021-21706

In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS.....

6.5CVSS

6.4AI Score

0.001EPSS

2021-10-04 04:15 AM
132
cve
cve

CVE-2021-25790

Multiple stored cross site scripting (XSS) vulnerabilities in the "Register" module of House Rental and Property Listing 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in all text fields except for Phone Number and Alternate Phone...

5.4CVSS

5.5AI Score

0.002EPSS

2021-07-23 06:15 PM
61
8
cve
cve

CVE-2021-25791

Multiple stored cross site scripting (XSS) vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text...

5.4CVSS

5.5AI Score

0.002EPSS

2021-07-23 06:15 PM
84
6
cve
cve

CVE-2020-23702

Cross Site Scripting (XSS) vulnerability in PHP-Fusion 9.03.60 via 'New Shout' in...

4.8CVSS

5AI Score

0.001EPSS

2021-07-07 07:15 PM
25
cve
cve

CVE-2020-23184

A stored cross site scripting (XSS) vulnerability in /administration/settings_registration.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Registration"...

5.4CVSS

5.2AI Score

0.001EPSS

2021-07-02 06:15 PM
28
2
cve
cve

CVE-2020-23181

A reflected cross site scripting (XSS) vulnerability in /administration/theme.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Manage Theme"...

5.4CVSS

5.3AI Score

0.001EPSS

2021-07-02 06:15 PM
30
2
cve
cve

CVE-2020-23185

A stored cross site scripting (XSS) vulnerability in /administration/setting_security.php of PHP-Fusion 9.03.60 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted...

5.4CVSS

5.2AI Score

0.001EPSS

2021-07-02 06:15 PM
31
2
cve
cve

CVE-2020-23178

An issue exists in PHP-Fusion 9.03.50 where session cookies are not deleted once a user logs out, allowing for an attacker to perform a session replay attack and impersonate the victim...

5.4CVSS

6.3AI Score

0.001EPSS

2021-07-02 06:15 PM
28
2
cve
cve

CVE-2020-23179

A stored cross site scripting (XSS) vulnerability in administration/settings_main.php of PHP-Fusion 9.03.50 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Site footer"...

5.4CVSS

5.9AI Score

0.001EPSS

2021-07-02 06:15 PM
32
2
cve
cve

CVE-2020-23182

The component /php-fusion/infusions/shoutbox_panel/shoutbox_archive.php in PHP-Fusion 9.03.60 allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message...

5.4CVSS

5.2AI Score

0.001EPSS

2021-07-02 06:15 PM
33
2
cve
cve

CVE-2021-20725

Reflected cross-site scripting vulnerability in the admin page of [Calendar01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified...

6.1CVSS

6AI Score

0.001EPSS

2021-05-24 04:15 AM
40
cve
cve

CVE-2021-20723

Reflected cross-site scripting vulnerability in [MailForm01] free edition (versions which the last updated date listed at the top of descriptions in the program file is from 2014 December 12 to 2018 July 27) allows a remote attacker to inject an arbitrary script via unspecified...

6.1CVSS

6AI Score

0.001EPSS

2021-05-24 04:15 AM
49
cve
cve

CVE-2021-20724

Reflected cross-site scripting vulnerability in the admin page of [Telop01] free edition ver1.0.1 and earlier allows a remote attacker to inject an arbitrary script via unspecified...

6.1CVSS

6AI Score

0.001EPSS

2021-05-24 04:15 AM
44
cve
cve

CVE-2021-28280

CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or...

6.1CVSS

6AI Score

0.001EPSS

2021-04-29 03:15 PM
37
5
cve
cve

CVE-2021-29399

XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions 1.9.12.03 or...

6.1CVSS

5.9AI Score

0.001EPSS

2021-04-19 12:15 PM
15
cve
cve

CVE-2020-7071

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong....

5.3CVSS

5.7AI Score

0.006EPSS

2021-02-15 04:15 AM
836
5
cve
cve

CVE-2021-21702

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a...

7.5CVSS

7.5AI Score

0.012EPSS

2021-02-15 04:15 AM
716
10
cve
cve

CVE-2020-35687

PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in...

4.3CVSS

4.7AI Score

0.001EPSS

2021-01-13 05:15 PM
57
In Wild
4
cve
cve

CVE-2020-35952

login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow...

6.5CVSS

6.5AI Score

0.001EPSS

2021-01-03 04:15 AM
25
1
cve
cve

CVE-2020-25955

SourceCodester Student Management System Project in PHP version 1.0 is vulnerable to stored a cross-site scripting (XSS) via the 'add subject'...

5.4CVSS

5.2AI Score

0.002EPSS

2020-12-08 02:15 PM
16
cve
cve

CVE-2020-29283

An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to...

9.8CVSS

9.8AI Score

0.002EPSS

2020-12-02 10:15 PM
52
cve
cve

CVE-2020-29285

SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to...

9.8CVSS

9.7AI Score

0.002EPSS

2020-12-02 10:15 PM
49
cve
cve

CVE-2020-28687

The edit profile functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary...

8.8CVSS

8.7AI Score

0.025EPSS

2020-11-17 02:15 PM
39
cve
cve

CVE-2020-28688

The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary...

8.8CVSS

8.7AI Score

0.025EPSS

2020-11-17 02:15 PM
39
cve
cve

CVE-2020-7068

In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information...

4.8CVSS

3.9AI Score

0.001EPSS

2020-09-09 06:15 PM
642
8
cve
cve

CVE-2020-24949

Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution...

8.8CVSS

8.7AI Score

0.939EPSS

2020-09-03 02:15 PM
93
2
cve
cve

CVE-2020-23658

PHP-Fusion 9.03.60 is affected by Cross Site Scripting (XSS) via...

5.4CVSS

5.3AI Score

0.001EPSS

2020-08-26 06:15 PM
19
cve
cve

CVE-2020-17449

PHP-Fusion 9.03 allows XSS via the error_log...

5.4CVSS

5.4AI Score

0.001EPSS

2020-08-12 10:15 PM
14
cve
cve

CVE-2020-17450

PHP-Fusion 9.03 allows XSS on the preview...

6.1CVSS

5.9AI Score

0.001EPSS

2020-08-12 10:15 PM
14
cve
cve

CVE-2020-5616

[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01]...

9.8CVSS

9.6AI Score

0.052EPSS

2020-08-04 02:15 AM
33
cve
cve

CVE-2020-5615

Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified...

8.8CVSS

9.2AI Score

0.003EPSS

2020-08-04 02:15 AM
47
cve
cve

CVE-2020-15041

PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Add Site Link...

4.8CVSS

5.7AI Score

0.001EPSS

2020-06-24 09:15 PM
27
cve
cve

CVE-2020-14960

A SQL injection vulnerability in PHP-Fusion 9.03.50 affects the endpoint administration/comments.php via the ctype...

7.2CVSS

7.8AI Score

0.104EPSS

2020-06-22 12:15 AM
31
Total number of security vulnerabilities1262