National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 26,026 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2018-17843

SQL injection exists in ADD Clicking MLM Software 1.0, Binary MLM Software 1.0, Level MLM Software 1.0, Singleleg MLM Software 1.0, Autopool MLM Software 1.0, Investment MLM Software 1.0, Bidding MLM Software 1.0, Moneyorder MLM Software 1.0, Repurchase MLM Software 1.0, and Gift MLM Software 1.0 via the member/readmsg.php msg_id parameter, the member/tree.php pid parameter, or the member/downline.php m_id parameter.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2018-12624

An issue was discovered in Eventum 3.5.0. /htdocs/post_note.php has XSS via the garlic_prefix parameter.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2017-18375

Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10759

The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resultant arbitrary code execution, via ExtendedFileManager/Classes/ExtendedFileManager.php because ExtendedFileManager can be used to rename the .htaccess file that blocks .php uploads.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10758

PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php file to pkinc/admin/mediaarchive.php and pkinc/func/default.php via the image_name parameter.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10757

In Redaxo 5.2.0, the cron management of the admin panel suffers from CSRF that leads to arbitrary Remote Code Execution via addons/cronjob/lib/types/phpcode.php.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10756

Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload because module.php?module=upload can be used to configure the uploading of .php files, and then modules/upload/upload_main.php can be used for the upload itself.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10755

AbanteCart 1.2.8 allows SQL Injection via the source_language parameter to admin/controller/pages/localisation/language.php and core/lib/language_manager.php, or via POST data to admin/controller/pages/tool/backup.php and admin/model/tool/backup.php.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10754

modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection via the contactidlist parameter.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10753

e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10752

serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated by "php" as a filename.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2016-10751

osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the plugin parameter. This is exploitable for remote PHP code execution because an administrator can upload an image that contains PHP code in the EXIF data via index.php?page=ajax&action=ajax_upload.

Published: May 24, 2019; 02:29:00 PM -04:00
(not available)
CVE-2019-11604

An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.

Published: May 24, 2019; 01:29:02 PM -04:00
(not available)
CVE-2019-10848

Computrols CBAS 18.0.0 allows Username Enumeration.

Published: May 24, 2019; 01:29:02 PM -04:00
(not available)
CVE-2019-10847

Computrols CBAS 18.0.0 allows Cross-Site Request Forgery.

Published: May 24, 2019; 01:29:02 PM -04:00
(not available)
CVE-2016-8900

Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.

Published: May 24, 2019; 01:29:00 PM -04:00
(not available)
CVE-2016-8898

Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.

Published: May 24, 2019; 01:29:00 PM -04:00
(not available)
CVE-2016-10245

Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection.

Published: May 24, 2019; 01:29:00 PM -04:00
(not available)
CVE-2019-11876

In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.

Published: May 24, 2019; 12:29:00 PM -04:00
(not available)
CVE-2019-12312

In Libreswan before 3.28, an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode to a Libreswan server. This affects send_v2N_spi_response_from_state in programs/pluto/ikev2_send.c when built with Network Security Services (NSS).

Published: May 24, 2019; 10:29:00 AM -04:00
(not available)