94 matches found
CVE-2004-1988
The CVE-2004-1988 entry documents a PHP remote file inclusion in Coppermine Photo Gallery 1.2.0 RC4. The vulnerability arises when the CPG_M_DIR setting is manipulated to reference a URL on a remote server that serves functions.inc.php, allowing an attacker to execute arbitrary PHP code on the af...
CVE-2001-1032
PHP-Nuke 5.2 and earlier (except 5.0RC1) is vulnerable to an arbitrary file upload via admin.php due to missing authentication for upload operations. An attacker can copy/upload arbitrary files and read the PHP-Nuke configuration by invoking admin.php with an upload parameter and a target file. T...
CVE-2002-0206
The CVE-2002-0206 issue affects PHP-Nuke: index.php may include a URL to remote code via the file parameter, enabling remote arbitrary PHP code execution on servers running PHP-Nuke 5.3.1 and earlier (and possibly versions before 5.5). Root cause is PHP’s include() reading a URL without validatin...
CVE-2006-0908
CVE-2006-0908 affects PHP-Nuke 7.8 Patched 3.2. A remote attacker can bypass SQL injection protections via /%2a /* sequences containing the word ad_click in the query string (kala parameter). The NVD description notes this as a SQL injection bypass vulnerability with a base CVSSv2 score of 7.5 (H...
CVE-2002-2032
The CVE-2002-2032 issue affects PHP-Nuke 5.4 and earlier, where sql_layer.php’s debugging feature is not restricted. This enables remote attackers to disclose SQL query information by setting sql_debug (e.g., in index.php or modules.php). Impact is information disclosure of all SQL queries, not r...
CVE-2007-1061
CVE-2007-1061 involves a SQL injection in PHP-Nuke (index.php) for PHP-Nuke 8.0 Final and earlier when the HTTP Referers block is enabled. The vulnerability allows remote attackers to inject SQL via the HTTP_REFERER header (Referer). CVSS metrics from NVD indicate a base score of 6.8 (MEDIUM) wit...
CVE-2007-0372
CVE-2007-0372 involves multiple SQL injection flaws in PHP-Nuke 7.9. The vulnerabilities allow remote attackers to execute arbitrary SQL commands through parameters in admin/modules/modules.php (active) and modules/Advertising/admin/index.php (ad_class, imageurl, clickurl, ad_code, position), plu...
CVE-2005-0433
Technical details about CVE-2005-0433 are not publicly provided in the supplied documents. Available sources describe a path disclosure in Php-Nuke 7.5. Monitor for updates on affected versions, impact, and fixes.
CVE-2001-1524
CVE-2001-1524 describes an XSS vulnerability in PHP-Nuke 5.3.1 and earlier. The flaw allows remote attackers to inject arbitrary web script or HTML via multiple parameters: (1) uname in user.php; (2) ttitle, letter and file in modules.php; (3) subject, story and storyext in submit.php; (4) upload...
CVE-2003-1210
The CVE-2003-1210 entry describes multiple SQL injection vulnerabilities in the PHP-Nuke Downloads module (versions 5.x through 6.5). The root cause is unsafely constructed SQL queries exposed via the lid parameter to getit and the min parameter to search, allowing remote attackers to execute arb...
CVE-2004-1839
MS Analysis module 2.0 for PHP-Nuke exposes full path disclosure via direct requests to browsers.php, mstrack.php, or title.php, enabling Information Disclosure without user interaction. Root cause: PHP error messages reveal filesystem paths. The provided documents do not specify a patched versio...
CVE-2001-1522
The CVE-2001-1522 entry describes an XSS vulnerability in im.php of IMessenger for PHP-Nuke , allowing remote attackers to inject arbitrary script or HTML via a message. Affected software: IMessenger for PHP-Nuke; root cause: insufficient input sanitization in im.php. Impact: partial integrity im...
CVE-2004-1989
The CVE-2004-1989 entry affects Coppermine Photo Gallery 1.2.2b, where a vulnerability in theme.php allows a remote attacker to execute arbitrary PHP code by altering THEME_DIR to reference a URL containing user_list_info_box.inc. This is a PHP remote file inclusion flaw with network access, no a...
CVE-2005-0434
Affected product: Php-Nuke 7.5. The CVE describes multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary HTML or web script via parameters (1) newdownloadshowdays in a NewDownloads operation or (2) newlinkshowdays in a NewLinks operation. Root cause is...
CVE-2004-1912
The CVE-2004-1912 issue affects NukeCalendar 1.1.a (as used in PHP-Nuke). The (1) modules.php, (2) block-Calendar.php, (3) block-Calendar1.php, and (4) block-Calendar_center.php scripts can disclose the full filesystem path via an error message when a URL with an invalid argument is requested. Th...
CVE-2004-1987
The CVE-2004-1987 vulnerability affects Coppermine Photo Gallery versions 1.2.2b and 1.2.0 RC4. It permits remote attackers with administrative privileges to execute arbitrary commands through shell metacharacters in the configuration parameters $CONFIG['impath'] or $CONFIG['jpeg_qual']. The conn...
CVE-2001-0001
PHP-Nuke 4.4 is affected by an authentication bypass via the cookiedecode flow. A crafted cookie (base64-encoded string split by colon) is decoded to populate $cookie[0] and other variables, allowing an attacker to manipulate the SQL in updates to impersonate other users and view or modify their ...
CVE-2001-0320
CVE-2001-0320 affects PHP-Nuke 4.4. The flaw is in bb_smilies.php and bbcode_ref.php where a malformed username argument containing a null byte and ".." sequences can allow remote attackers to read arbitrary files and gain PHP administrator privileges. This is supported by the NVD entry and corro...
CVE-2001-0911
CVE-2001-0911 affects PHP-Nuke 5.1, where user and administrator passwords are stored in a base-64 encoded cookie. This could allow remote attackers to gain privileges by stealing/sniffing the cookie and decoding it. The connected sources corroborate the cookie-based credential exposure, but no p...
CVE-2003-0279
CVE-2003-0279 describes multiple SQL injection vulnerabilities in the PHP-Nuke Web_Links module (versions 5.x through 6.5). The flaws allow remote attackers to access sensitive data by manipulating numeric fields, demonstrated via the viewlink function and cid parameter, or via index.php. The cor...
CVE-2005-1027
The vulnerability concerns PHP-Nuke 6.x through 7.6 with multiple stored/reflected XSS vectors in the web interface. Specifically, arbitrary web script/HTML can be injected via the username parameter in the Your_Account module, the avatarcategory parameter in the Your_Account module, or the lid p...
CVE-2004-0269
CVE-2004-0269 concerns a SQL injection vulnerability in PHP-Nuke 6.9 and earlier (and possibly 7.x). The vulnerability enables remote attackers to inject arbitrary SQL code and potentially read sensitive information via input in two modules: (1) the category variable in the Search module and (2) ...
CVE-2004-1972
CVE-2004-1972: SQL injection in PHP-Nuke Video Gallery Module 0.1 Beta 5 (modules.php) allows remote attackers to inject arbitrary SQL via clipid or catid parameters in viewclip, viewcat, or voteclip actions. Vulnerable component is the module’s handling of these parameters, enabling unauthorized...
CVE-2001-0383
CVE-2001-0383 affects PHP-Nuke up to version 4.4 and earlier. The banners.php Change operation can be invoked remotely without authentication, allowing modification of banner ad URLs. NVD lists a Network attack vector, low complexity, with no confidentiality impact, partial integrity impact, and ...
CVE-2004-0732
CVE-2004-0732 describes a SQL injection in Php-Nuke’s Search module (index.php) exploitable via the instory parameter. Root cause: insufficient input validation in the Search module, enabling remote attackers to inject arbitrary SQL. Impact per CVSSv2 is partial disclosure, modification, and disr...
CVE-2004-1914
Affected software : NukeCalendar 1.1.a as used in PHP-Nuke. Vulnerability : SQL injection in modules.php via the eid parameter. This allows remote attackers to execute arbitrary SQL commands. Impact : Partial confidentiality, integrity, and availability impact as per CVSS; attacker can compromise...
CVE-2005-1000
CVE-2005-1000: XSS in PHP-Nuke 7.6. Affected components include banners.pgp (EmailStats op) via bid, Web_Links (TopRated/MostPopular via ratenum, viewlinkdetails/editorial/comments/ratelink via ttitle), and Your_Account (username). Root cause is improper handling of user-supplied parameters leadi...
CVE-2005-4260
CVE-2005-4260 is an XSS vulnerability in PHP-Nuke 7.9 and later, where an interpretation conflict in includes/mainfile.php allows remote attackers to inject scripts by replacing the ">" with "
CVE-2006-5720
CVE-2006-5720 describes a remote SQL injection in the PHP-Nuke Journal module (files: modules/journal/search.php) where the parameter forwhat can be tainted to inject arbitrary SQL. Affected software: PHP-Nuke 7.9 and earlier. Root cause: improper input handling in the journal search feature lead...
CVE-2002-1803
CVE-2002-1803 describes a cross-site scripting (XSS) flaw in PHP-Nuke 6.0 that allows remote attackers to inject arbitrary script/HTML via Javascript in an IMG tag. Affected software is PHP-Nuke 6.0; the root cause is an XSS vulnerability exposed by image tags, enabling arbitrary code execution i...
CVE-2004-1984
The CVE concerns Coppermine Photo Gallery versions 1.2.2b and 1.2.0 RC4. Affected files (phpinfo.php, addpic.php, config.php, db_input.php, displayecard.php, ecard.php, crop.inc.php) can disclose the full server path via a PHP error message when accessed directly, leaking information about the in...
CVE-2004-2294
CVE-2004-2294 affects PHP-Nuke 6.0 through 7.3, where the send_review function in the Reviews module has a canonicalize-before-filter error. Text parameter processing allows remote attackers to inject arbitrary web script or HTML via hex-encoded XSS sequences after the text is checked for dangero...
CVE-2005-1023
CVE-2005-1023 : XSS vulnerabilities in PHP-Nuke 6.x–7.6 allow remote attackers to inject arbitrary script/HTML via specific parameters in Search, FAQ, and Encyclopedia modules (min, categories, ltr). The note clarifies that the related banner issue is covered by CVE-2005-1000. Connected documents...
CVE-2003-0318
The CVE-2003-0318 entry describes a Cross-site Scripting (XSS) vulnerability in the Statistics module of PHP-Nuke 6.0 and earlier. An attacker could inject arbitrary script via the year parameter, affecting PHP-Nuke’s Statistics component. The NVD entry lists a base score of 4.3 (Medium) with I:P...
CVE-2004-2297
The CVE-2004-2297 case concerns the Reviews module of PHP-Nuke versions 6.0 through 7.3. The vulnerability is a denial of service caused by a large, out-of-range score parameter that can consume CPU and memory. The available sources (NVD, CVE lists) describe the impact as a CPU/memory DoS but do ...
CVE-2004-1817
This CVE affects Php-Nuke 7.1.0, where a cross-site scripting (XSS) vulnerability exists in modules.php. The issue allows an attacker to inject arbitrary web script or HTML through user-supplied input in multiple fields: Your Name, e-mail, nicname, fname, ratenum, and search. The root cause is im...
CVE-2004-2044
CVE-2004-2044 affects PHP-Nuke 7.3 and related products that use the PHP-Nuke codebase (e.g., Nuke Cops betaNC bundle, OSCNukeLite 3.1, OSC2Nuke 7x). It arises from improper use of eregi() with $_SERVER['PHP_SELF'] to identify the calling script, enabling remote attackers to directly access scrip...
CVE-2005-4715
CVE-2005-4715 concerns multiple SQL injection vulnerabilities in PHP-Nuke 7.8. The flaw occurs in modules.php when magic_quotes_gpc is disabled, allowing remote attackers to inject arbitrary SQL via the POST parameters (name, sid, pid) that bypass security checks applied to GET requests. Affected...
CVE-2000-0745
CVE-2000-0745 affects PHP-Nuke where admin.php3 does not properly verify the administrator password, enabling privilege escalation when a URL omits the aid/pwd parameters. Connected documents provide a detailed exploitation path: an attacker can manipulate URL parameters and the cookiedecode rout...
CVE-2003-1400
The CVE-2003-1400 entry describes a Cross-site scripting (XSS) vulnerability in the Your_Account module of PHP-Nuke versions 5.0 through 6.0. The issue arises from an input vector in the user_avatar parameter, allowing remote attackers to inject arbitrary web script or HTML. Affected software: PH...
CVE-2004-0265
This CVE concerns a Cross-site Scripting (XSS) vulnerability in Php-Nuke 6.x-7.1.0, specifically in modules.php. The vulnerability allows remote attackers to execute arbitrary script as other users by manipulating URL-encoded parameters (1) title or (2) fname in the News or Reviews modules. Affec...
CVE-2004-0266
Affects Php-Nuke 6.x to 7.1.0 where the SQL injection vulnerability is in the public_message capability (c_mid parameter) that can disclose the administrator password. Exploitation details or specific patches are not provided in the connected documents. The OpenVAS/Nessus references confirm long-...
CVE-2004-0737
CVE-2004-0737 concerns Php-Nuke’s Search module (index.php). The advisory notes multiple cross-site scripting vulnerabilities exploitable through 11 parameters (sid, max, sel1–sel5, match, mod1–mod3), allowing remote injection of arbitrary script/HTML. The root cause implied is insufficient input...
CVE-2004-1840
CVE-2004-1840 affects the MS Analysis module 2.0 for PHP-Nuke. The vulnerability is multiple cross-site scripting (XSS) flaws that allow remote attackers to inject arbitrary JavaScript/HTML via (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to mo...
CVE-2004-1930
Technical details beyond the initial description are not provided in the connected documents. Monitor for updates and vendor advisories for any fixes or affected versions.
CVE-2004-1932
This CVE (CVE-2004-1932) affects PHP-Nuke 6.x through 7.2, with a SQL injection in auth.php and admin.php. The underlying flaw allows remote attackers to inject SQL and create an administrator account via base64-encoded SQL in the admin parameter. The connected sources confirm the vulnerable comp...
CVE-2004-1999
CVE-2004-1999 describes a Cross-site scripting (XSS) vulnerability in the Downloads module of Php-Nuke 6.x through 7.2. The issue allows remote attackers to inject arbitrary HTML and web script via the ttitle or sid parameters to modules.php. Affected software is Php-Nuke, version range 6.x–7.2, ...
CVE-2005-3792
CVE-2005-3792 corresponds to SQL injection in the PHP-Nuke 7.8 Search module (and possibly earlier versions) that allows remote execution of arbitrary SQL commands via the query parameter in a stories type. Affected software is PHP-Nuke 7.8 with patch 3.1, and other versions before 7.9 may be vul...
CVE-2001-0292
CVE-2001-0292 concerns PHP-Nuke 4.4.1a. The vulnerability allows remote attackers to modify a user’s email address and obtain the password by guessing the user id (UID) and invoking the user.php page with the saveuser operator. The description indicates an unauthenticated vector that leverages UI...
CVE-2003-1435
This CVE (CVE-2003-1435) describes an SQL injection in PHP-Nuke versions 5.6 and 6.0, exploitable via the days parameter in the search module to allow remote execution of arbitrary SQL. The underlying issue is an input validation flaw in the search component, enabling attackers to influence the b...