National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 25,577 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2019-6990

A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the index.php?view=zones&action=zoneImage&mid=1 URI.

Published: January 28, 2019; 03:29:00 PM -05:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2019-6985

An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for Foxit Reader and PhantomPDF. The application could encounter an Out-of-Bounds Read in Indexing or a Heap Overflow and crash during handling of certain PDF files that embed specifically crafted 3D content, due to an array access violation.

Published: January 28, 2019; 04:29:00 AM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-6984

An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for Foxit Reader and PhantomPDF. The application could encounter a Use-After-Free or Type Confusion and crash during handling of certain PDF files that embed specifically crafted 3D content, due to the use of a wild pointer.

Published: January 28, 2019; 04:29:00 AM -05:00
V3: 6.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-6983

An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for Foxit Reader and PhantomPDF. The application could encounter an Integer Overflow and crash during the handling of certain PDF files that embed specifically crafted 3D content, because of a free of valid memory.

Published: January 28, 2019; 04:29:00 AM -05:00
V3: 6.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-6982

An issue was discovered in Foxit 3D Plugin Beta before 9.4.0.16807 for Foxit Reader and PhantomPDF. The application could encounter an Out-of-Bounds Write and crash during the handling of certain PDF files that embed specifically crafted 3D content, because of the improper handling of a logic exception in the IFXASSERT function.

Published: January 28, 2019; 04:29:00 AM -05:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-6979

An issue was discovered in the User IP History Logs (aka IP_History_Logs) plugin 1.0.2 for MyBB. There is XSS via the admin/modules/tools/ip_history_logs.php useragent field.

Published: January 28, 2019; 03:29:00 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-6978

The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected.

Published: January 28, 2019; 03:29:00 AM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-6977

gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.

Published: January 26, 2019; 09:29:00 PM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-6703

Incorrect access control in migla_ajax_functions.php in the Calmar Webmedia Total Donations plugin through 2.0.5 for WordPress allows unauthenticated attackers to update arbitrary WordPress option values, leading to site takeover. These attackers can send requests to wp-admin/admin-ajax.php to call the miglaA_update_me action to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Published: January 26, 2019; 09:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-6799

An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls.

Published: January 26, 2019; 12:29:00 PM -05:00
V3: 5.9 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-6798

An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.

Published: January 26, 2019; 12:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-6805

SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi.php O_id parameter.

Published: January 25, 2019; 03:29:00 AM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-6780

The Wise Chat plugin before 2.7 for WordPress mishandles external links because rendering/filters/post/WiseChatLinksPostFilter.php omits noopener and noreferrer.

Published: January 24, 2019; 03:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2019-6779

Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or delete friend links.

Published: January 24, 2019; 02:29:00 PM -05:00
V3: 8.1 HIGH
V2: 5.8 MEDIUM
CVE-2019-6777

An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?view=plugin pl parameter.

Published: January 24, 2019; 10:29:01 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-17705

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the display property of CheckBox objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7255.

Published: January 23, 2019; 11:29:04 PM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-17704

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the textColor property of RadioButton objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7254.

Published: January 23, 2019; 11:29:04 PM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-17703

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the defaultValue property of ComboBox objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7253.

Published: January 23, 2019; 11:29:04 PM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-17702

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the richValue property of button objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7252.

Published: January 23, 2019; 11:29:04 PM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-17701

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit PhantomPDF 9.2.0.9297. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of JSON objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7132.

Published: January 23, 2019; 11:29:04 PM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM