E107 Security Vulnerabilities and Issues — Page 2 of E107 CVE List

Lucene search

E107E107

70 matches found

CVE•added 2006/02/23 11:2 p.m.•35 views

CVE-2006-0857

Cross-site scripting (XSS) vulnerability in Chatbox Plugin 1.0 in e107 0.7.2 allows remote attackers to inject arbitrary HTML or web script via a Chatbox, as demonstrated using a SCRIPT element.

4.3CVSS5.8AI score0.00406EPSS

CVE•added 2006/05/25 10:2 a.m.•35 views

CVE-2006-2590

SQL injection vulnerability in e107 before 0.7.5 allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.

6.4CVSS8.3AI score0.00326EPSS

CVE•added 2006/06/27 9:5 p.m.•35 views

CVE-2006-3259

Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) ep parameter to search.php and the (2) subject parameter in comment.php (aka the Subject field when posting a comment).

4.3CVSS6AI score0.06224EPSS

CVE•added 2010/04/20 4:30 p.m.•35 views

CVE-2010-0996

Unrestricted file upload vulnerability in e107 before 0.7.20 allows remote authenticated users to execute arbitrary code by uploading a .php.filetypesphp file. NOTE: the vendor disputes the significance of this issue, noting that "an odd set of preferences and a missing file" are required.

6CVSS7.4AI score0.02777EPSS

CVE•added 2012/08/31 10:55 p.m.•35 views

CVE-2011-4946

SQL injection vulnerability in e107_admin/users_extended.php in e107 before 0.7.26 allows remote attackers to execute arbitrary SQL commands via the user_field parameter.

6.8CVSS8.7AI score0.00783EPSS

Web

CVE•added 2006/02/15 12:2 a.m.•34 views

CVE-2006-0682

Multiple cross-site scripting (XSS) vulnerabilities in bbcodes system in e107 before 0.7.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.

4.3CVSS5.8AI score0.00427EPSS

CVE•added 2012/01/04 7:55 p.m.•34 views

CVE-2011-4920

Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, and other versions before 1.0.0, allow remote attackers to inject arbitrary web script or HTML via the URL to (1) e107_images/thumb.php or (2) rate.php, (3) resend_name parameter to e107_admin/users.php, and (4) link BBCode in user...

4.3CVSS5.9AI score0.00503EPSS

Web

CVE•added 2014/01/22 7:55 p.m.•34 views

CVE-2013-7305

fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user.

4.3CVSS6.9AI score0.00243EPSS

CVE•added 2012/01/04 7:55 p.m.•33 views

CVE-2011-4921

SQL injection vulnerability in usersettings.php in e107 0.7.26, and possibly other versions before 1.0.0, allows remote attackers to execute arbitrary SQL commands via the username parameter.

5.1CVSS8.7AI score0.00458EPSS

CVE•added 2018/09/05 9:29 p.m.•33 views

CVE-2018-16381

e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter.

6.1CVSS6.1AI score0.0024EPSS

Web

CVE•added 2018/09/12 4:29 p.m.•33 views

CVE-2018-16388

e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the image/jpeg content type.

7.2CVSS7.3AI score0.00774EPSS

CVE•added 2007/06/27 12:30 a.m.•32 views

CVE-2007-3429

Unrestricted file upload vulnerability in signup.php in e107 0.7.8 and earlier, when photograph upload is enabled, allows remote attackers to upload and execute arbitrary PHP code via a filename with a double extension such as .php.jpg.

6.8CVSS7.5AI score0.02388EPSS

CVE•added 2017/04/24 6:59 p.m.•32 views

CVE-2017-8098

e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.

6.5CVSS6.3AI score0.00166EPSS

CVE•added 2012/07/03 10:55 p.m.•31 views

CVE-2012-3843

Cross-site scripting (XSS) vulnerability in the registration page in e107, probably 1.0.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.00285EPSS

Web

CVE•added 2014/01/22 7:55 p.m.•31 views

CVE-2013-2750

Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string.

4.3CVSS5.7AI score0.00624EPSS

Web

CVE•added 2015/01/15 3:59 p.m.•31 views

CVE-2015-1041

Cross-site scripting (XSS) vulnerability in e107_admin/filemanager.php in e107 1.0.4 allows remote attackers to inject arbitrary web script or HTML via the e107_files/ file path in the QUERY_STRING.

4.3CVSS5.9AI score0.00796EPSS

Web

CVE•added 2018/05/15 5:29 p.m.•31 views

CVE-2018-11127

e107 2.1.7 has CSRF resulting in arbitrary user deletion.

6.5CVSS6.5AI score0.00117EPSS

CVE•added 2018/08/28 7:29 p.m.•31 views

CVE-2018-15901

e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.

8.8CVSS8.7AI score0.00141EPSS

CVE•added 2015/01/02 8:59 p.m.•28 views

CVE-2014-9459

Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin action.

6.8CVSS7.3AI score0.00179EPSS

Web

CVE•added 2017/05/29 7:29 p.m.•28 views

CVE-2016-10378

e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function.

7.2CVSS7.1AI score0.00456EPSS

Web

Total number of security vulnerabilities70