National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 26,555 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2019-15641

xmlrpc.cgi in Webmin through 1.930 allows authenticated XXE attacks. By default, only root, admin, and sysadm can access xmlrpc.cgi.

Published: August 26, 2019; 02:15:12 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 6.8 MEDIUM
CVE-2019-15533

XENFCoreSharp before 2019-07-16 allows SQL injection in web/verify.php.

Published: August 26, 2019; 02:15:12 PM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15555

FredReinink Wellness-app before 2019-06-19 allows SQL injection, related to dietTrack.php, exerciseGenerator.php, fitnessTrack.php, and server.php.

Published: August 26, 2019; 01:15:12 PM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15574

Gesior-AAC before 2019-05-01 allows serviceID SQL injection in accountmanagement.php.

Published: August 26, 2019; 11:15:12 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15573

Gesior-AAC before 2019-05-01 allows SQL injection in tankyou.php.

Published: August 26, 2019; 11:15:12 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15572

Gesior-AAC before 2019-05-01 allows ServiceCategoryID SQL injection in shop.php.

Published: August 26, 2019; 11:15:12 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15571

The WEB control panel before 2019-04-30 for ClonOS allows SQL injection in clonos.php.

Published: August 26, 2019; 11:15:12 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15565

The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection in icommktconnector.php.

Published: August 26, 2019; 11:15:12 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15556

Pvanloon1983 social_network before 2019-07-03 allows SQL injection in includes/form_handlers/register_handler.php.

Published: August 26, 2019; 09:15:11 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15524

CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php file to admin/filemanager in the File Management Module, which leads to remote code execution by visiting a photo/upload/2019/ URI.

Published: August 26, 2019; 09:15:11 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15521

Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and other products, allows PHP object injection via a cookie containing an object.

Published: August 26, 2019; 09:15:11 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-15537

The proxystatistics module before 3.1.0 for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php.

Published: August 23, 2019; 02:15:11 PM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-11654

Path traversal vulnerability in Micro Focus Verastream Host Integrator (VHI), versions 7.7 SP2 and earlier, The vulnerability allows remote unauthenticated attackers to read arbitrary files.

Published: August 23, 2019; 02:15:11 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-15531

GNU Libextractor through 1.9 has a heap-based buffer over-read in the function EXTRACTOR_dvi_extract_method in plugins/dvi_extractor.c.

Published: August 23, 2019; 01:15:14 PM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-15485

Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php.

Published: August 23, 2019; 09:15:11 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-20987

The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection.

Published: August 22, 2019; 04:15:11 PM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2015-9340

The wp-file-upload plugin before 3.0.0 for WordPress has insufficient restrictions on upload of php, js, pht, php3, php4, php5, phtml, htm, html, and htaccess files.

Published: August 22, 2019; 04:15:11 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2015-9338

The wp-file-upload plugin before 2.5.0 for WordPress has insufficient restrictions on upload of .php files.

Published: August 22, 2019; 04:15:11 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-12386

An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.

Published: August 22, 2019; 03:15:14 PM -04:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2019-12385

An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to a full compromise of admin accounts, when combined with the weak password generator algorithm used in the lostpassword functionality.

Published: August 22, 2019; 03:15:14 PM -04:00
V3.0: 8.8 HIGH
    V2: 6.5 MEDIUM