National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 26,154 matching records.
Displaying matches 101 through 120.
Vuln ID Summary CVSS Severity
CVE-2019-6753

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Reader 9.3.0.10826. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the Stuff method. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7561.

Published: June 03, 2019; 03:29:02 PM -04:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-6752

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit PhantomPDF 9.3.10826. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7620.

Published: June 03, 2019; 03:29:02 PM -04:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-6751

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Studio Photo 3.6.6.779. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of JPG files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7632.

Published: June 03, 2019; 03:29:02 PM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-6750

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Studio Photo 3.6.6. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of EZI files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7639.

Published: June 03, 2019; 03:29:02 PM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-6749

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Studio Photo 3.6.6. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of EZIX files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7638.

Published: June 03, 2019; 03:29:02 PM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-6748

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Studio Photo 3.6.6. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of EZI files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7637.

Published: June 03, 2019; 03:29:02 PM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-6747

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Studio Photo 3.6.6. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of EZI files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7636.

Published: June 03, 2019; 03:29:02 PM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-6746

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Foxit Studio Photo 3.6.6. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of TIF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-7634.

Published: June 03, 2019; 03:29:02 PM -04:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9882

Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to add malicious email sources into whitelist via user/save_list.php?ACSION=&type=email&category=white&locate=big5&cmd=add&new=hacker@socialengineering.com&new_memo=&add=%E6%96%B0%E5%A2%9E without any authorizes.

Published: June 03, 2019; 02:29:06 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-12593

IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.

Published: June 03, 2019; 01:29:01 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-12585

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.

Published: June 02, 2019; 11:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-12584

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an XSS issue in apcupsd_status.php.

Published: June 02, 2019; 11:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-12566

The WP Statistics plugin through 12.6.5 for Wordpress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.

Published: June 02, 2019; 08:29:00 PM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2019-12564

In DouCo DouPHP v1.5 Release 20190516, remote attackers can view the database backup file via a brute-force guessing approach for data/backup/DyyyymmddThhmmss.sql filenames.

Published: June 02, 2019; 08:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 5.0 MEDIUM
CVE-2019-12530

Incorrect access control was discovered in the stdonato Dashboard plugin through 0.9.7 for GLPI, affecting df.php, issue.php, load.php, mem.php, traf.php, and uptime.php in front/sh.

Published: June 02, 2019; 01:29:01 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-9653

NUUO Network Video Recorder Firmware 1.7.x through 3.3.x allows unauthenticated attackers to execute arbitrary commands via shell metacharacters to handle_load_config.php.

Published: May 31, 2019; 06:29:01 PM -04:00
V3: 9.8 CRITICAL
V2: 10.0 HIGH
CVE-2019-9106

The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to execute or include local .php files, as demonstrated by menu=php://filter/convert.base64-encode/resource=index.php to read index.php.

Published: May 31, 2019; 06:29:01 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-9105

The WebApp v04.68 in the supervisor on SAET Impianti Speciali TEBE Small 05.01 build 1137 devices allows remote attackers to make several types of API calls without authentication, as demonstrated by retrieving password hashes via an inc/utils/REST_API.php?command=CallAPI&customurl=alladminusers call.

Published: May 31, 2019; 06:29:01 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-12507

An XSS vulnerability exists in PHPRelativePath (aka Relative Path) through 1.0.2 via the RelativePath.Example1.php path parameter.

Published: May 31, 2019; 10:29:03 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-12493

A stack-based buffer over-read exists in PostScriptFunction::transform in Function.cc in Xpdf 4.01.01 because GfxSeparationColorSpace and GfxDeviceNColorSpace mishandle tint transform functions. It can, for example, be triggered by sending a crafted PDF document to the pdftops tool. It might allow an attacker to cause Denial of Service or leak memory data.

Published: May 30, 2019; 10:29:00 PM -04:00
V3: 7.1 HIGH
V2: 5.8 MEDIUM