National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 26,809 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-17676

app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.

Published: October 17, 2019; 09:15:11 AM -04:00
(not available)
CVE-2019-17611

HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)
CVE-2019-17610

HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)
CVE-2019-17609

HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)
CVE-2019-17608

HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)
CVE-2019-17607

HongCMS 3.0.0 has XSS via the install/index.php servername parameter.

Published: October 16, 2019; 06:15:10 PM -04:00
(not available)
CVE-2019-17512

There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces.

Published: October 16, 2019; 03:15:16 PM -04:00
(not available)
CVE-2019-17578

An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Sender email for automatic emails (default value in php.ini: Undefined)" field.

Published: October 16, 2019; 02:15:25 PM -04:00
(not available)
CVE-2019-17577

An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via the "Email used for error returns emails (fields 'Errors-To' in emails sent)" field.

Published: October 16, 2019; 02:15:25 PM -04:00
(not available)
CVE-2019-17576

An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via the "Send all emails to (instead of real recipients, for test purposes)" field.

Published: October 16, 2019; 02:15:25 PM -04:00
(not available)
CVE-2019-17660

A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.

Published: October 16, 2019; 12:15:11 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-17630

CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "News > Add Article" screen.

Published: October 16, 2019; 10:15:14 AM -04:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2019-17629

CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a crafted image filename on the "file manager > upload images" screen.

Published: October 16, 2019; 10:15:14 AM -04:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2019-17613

qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter.

Published: October 15, 2019; 07:15:08 PM -04:00
(not available)
CVE-2019-17612

An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.

Published: October 15, 2019; 07:15:08 PM -04:00
V3.1: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2019-17223

There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.

Published: October 15, 2019; 08:15:10 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-17593

JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.

Published: October 14, 2019; 05:15:11 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-17583

idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of service (resource consumption) via a query for many comments, as demonstrated by the admincp.php?app=comment&perpage= substring followed by a large positive integer.

Published: October 14, 2019; 12:15:10 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-17580

tonyy dormsystem through 1.3 allows SQL Injection in admin.php.

Published: October 14, 2019; 12:15:10 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-17511

There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can get the router's log file via log_get.php, which could be used to discover the intranet network structure.

Published: October 14, 2019; 12:15:10 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM