21 matches found
CVE-2006-5494
CVE-2006-5494 / CVE-2006-6795 describe remote file inclusion flaws in the pandaBB module for PHP-Nuke and the My_eGallery 2.5.6 module for myPHPNuke, both allowing an attacker to execute arbitrary PHP code via a URL parameter. The core issue is PHP remote file inclusion in the gallery/displayCate...
CVE-2001-0899
CVE-2001-0899 concerns the PHP-Nuke Network Tools Add-On. The connected sources confirm that the vulnerability arises in Network Tools 0.2 for PHP-Nuke, where the remote attacker can execute commands on the server via shell metacharacters placed in the $hostinput variable. This leads to arbitrary...
CVE-2006-5525
PHP-Nuke 7.9 and earlier are affected by an incomplete blacklist in mainfile.php that fails to reject UNION-based SQL injection payloads. The vulnerability can be triggered via the eid parameter in the Encyclopedia module (modules.php) using patterns such as //UNION or UNION/ /. The root cause is...
CVE-2004-1842
PHP-Nuke 6.x through 7.1.0 is affected by a CSRF that lets an attacker gain administrative privileges via an image tag pointing to admin.php. The PT-2004-2741 entry confirms the issue and recommends upgrading to a version containing the fix; no specific fixed version is provided in the sources.
CVE-2011-1480
CVE-2011-1480 affects PHP-Nuke (admin.php) in the admin backend of PHP-Nuke 8.0 and earlier. The vulnerability is an SQL injection via the chng_uid parameter, allowing remote attackers to execute arbitrary SQL commands. The available connected documents confirm the affected software/version range...
CVE-2007-4212
CVE-2007-4212 concerns multiple XSS flaws in the PHP-Nuke Search Module. The vulnerabilities allow remote attackers to inject arbitrary script/HTML by supplying a trailing “” in: (1) the onerror attribute of IMG, (2) the onload attribute of IFRAME, or (3) redirect via the META tag. Affected softw...
CVE-2011-3784
CVE-2011-3784 affects PHP-Nuke 8.0 and enables information disclosure by requesting a .php file, which then reveals the installation path in an error message (e.g., themes/Odyssey/theme.php). The root cause is error handling that leaks filesystem paths to remote attackers. Documented impact is se...
CVE-2005-1028
PHP-Nuke 6.x through 7.6 contains an information disclosure vulnerability where remote attackers can obtain sensitive information by directly requesting (1) index.php with the forum_admin parameter, (2) the Surveys module, or (3) the Your_Account module. The attack reveals the path in a PHP error...
CVE-2008-6728
CVE-2008-6728 affects the PHP-Nuke Sections module, where an SQL injection is possible through the artid parameter in a printpage action to modules.php. The vulnerability arises from unsafely constructed SQL in the Sections module, enabling remote attackers to inject arbitrary SQL commands. The v...
CVE-2003-1340
CVE-2003-1340 refers to multiple SQL injection vulnerabilities in PHP-Nuke 5.6 and 6.5. The flaws allow remote authenticated users to inject SQL via a uid cookie to modules.php and via an aid cookie to the Web_Links module using actions such as viewlink, MostPopular, or NewLinksDate. The cited so...
CVE-2009-1842
PHP-Nuke 8.0 is affected by a SQL injection in main/tracking/userLog.php that allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header. Documented as CVE-2009-1842 with CVSS v2 base score 7.5 (network, low complexity, no auth). Affected product: PHP-Nuke; vulnerabilit...
CVE-2011-1481
CVE-2011-1481 affects PHP-Nuke 8.0 and earlier. The vulnerability is multiple cross-site scripting (XSS) in the Feedback action of modules.php, exploitable via the sender_name or sender_email parameters. Impact described as allowing remote attackers to inject arbitrary web script or HTML. NVD met...
CVE-2014-3934
CVE-2014-3934 is a SQL injection vulnerability in the Submit_News module of PHP-Nuke 8.3, exploitable via topics[] in modules.php to execute arbitrary SQL. Impact is partial confidentiality/integrity/availability. Exploitation details are supported by NVD/RedHat entries; CIRCL shows an exploit on...
CVE-2011-1482
PHP-Nuke 8.0 and earlier are affected by multiple CSRF vulnerabilities in mainfile.php that allow remote attackers to hijack administrator sessions by issuing requests to add user accounts or grant admin privileges. The root cause is a Referer check implemented as a substring comparison, enabling...
CVE-2008-2020
The CVE-2008-2020 issue affects multiple CAPTCHA implementations: PHP-Nuke (versions 7.0–8.1), my123tkShop 0.9.1, phpMyBitTorrent 1.2.2, TorrentFlux 2.3, e107 0.7.11, WebZE 0.5.9, Open Media Collectors Database 1.5.0b4, and Labgab 1.1. The root cause is use of a code_bg.jpg background with PHP Im...
CVE-2007-1449
CVE-2007-1449 affects PHP-Nuke 8.0 and earlier. A directory-traversal flaw in mainfile.php allows remote attackers to read arbitrary files by supplying ".." in the lang parameter, enabling partial confidentiality impact. Root cause: insufficient input validation in the lang parameter. The connect...
CVE-2007-1520
The CVE-2007-1520 issue affects PHP-Nuke 8.0 and earlier, where CSRF protection fails to verify that the SERVER superglobal is an array before validating HTTP_REFERER. This logic flaw enables CSRF attacks against vulnerable PHP-Nuke installations. The vulnerability is described in multiple source...
CVE-2021-30177
CVE-2021-30177 corresponds to a SQL Injection vulnerability in PHP-Nuke 8.3.3 (User Registration) that can lead to remote code execution. Root cause described across sources: input validation failures, specifically U.S. state not restricted to two letters and the OrderBy parameter not limited to ...
CVE-2007-1450
The CVE-2007-1450 issue affects PHP-Nuke 8.0 and earlier, where an SQL injection flaw in mainfile.php enables remote attackers to execute arbitrary SQL commands in the Top or News module via the lang parameter. Affected component is the mainfile.php entry point used by the PHP-Nuke framework; roo...
CVE-2010-5083
CVE-2010-5083 : A SQL injection vulnerability exists in the Web_Links module of PHP-Nuke 8.0, allowing remote attackers to execute arbitrary SQL commands via the url parameter in an Add action to modules.php. The issue is caused by unsanitized input in that parameter, with potential partial confi...
CVE-2007-1519
PHP-Nuke (versions 8.0 and earlier) is affected by a cross-site scripting (XSS) issue in modules.php, exploitable via the query parameter in the Downloads module search. This is a remote XSS vulnerability in PHP-Nuke INP/Downloads search path; the exact root cause is a failure to sanitize input i...