National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 26,259 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2019-6961

Incorrect access control in actionHandlerUtility.php in the RDK RDKB-20181217-1 WebUI module allows a logged in user to control DDNS, QoS, RIP, and other privileged configurations (intended only for the network operator) by sending an HTTP POST to the PHP backend, because the page filtering for non-superuser (in header.php) is done only for GET requests and not for direct AJAX calls.

Published: June 20, 2019; 10:15:11 AM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-16514

A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) and Edit Filter page (manage_filter_edit_page.php) in MantisBT 2.1.0 through 2.17.0 allows remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-13055.

Published: June 20, 2019; 10:15:10 AM -04:00
V3: 4.7 MEDIUM
V2: 2.6 LOW
CVE-2018-17388

SQL Injection exists in Twilio WEB To Fax Machine System 1.0 via the email or password parameter to login_check.php, or the id parameter to add_email.php or edit_content.php.

Published: June 19, 2019; 02:15:11 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-17148

An Insufficient Access Control vulnerability (leading to credential disclosure) in coreconfigsnapshot.php (aka configuration snapshot page) in Nagios XI before 5.5.4 allows remote attackers to gain access to configuration files containing confidential credentials.

Published: June 19, 2019; 02:15:11 PM -04:00
V3: 9.8 CRITICAL
V2: 5.0 MEDIUM
CVE-2018-17079

An issue was discovered in ZRLOG 2.0.1. There is a Stored XSS vulnerability in the nickname field of the comment area.

Published: June 19, 2019; 02:15:10 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-17423

An issue was discovered in e107 v2.1.9. There is a XSS attack on e107_admin/comment.php.

Published: June 19, 2019; 01:15:10 PM -04:00
V3: 4.8 MEDIUM
V2: 3.5 LOW
CVE-2018-17393

SQL Injection exists in HealthNode Hospital Management System 1.0 via the id parameter to dashboard/Patient/info.php or dashboard/Patient/patientdetails.php.

Published: June 19, 2019; 01:15:10 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-17389

CSRF exists in server.php in Live Call Support Application 1.5 for adding an admin account.

Published: June 19, 2019; 01:15:10 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-18758

Open Faculty Evaluation System 7 for PHP 7 allows submit_feedback.php SQL Injection, a different vulnerability than CVE-2018-18757.

Published: June 19, 2019; 12:15:10 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-18757

Open Faculty Evaluation System 5.6 for PHP 5.6 allows submit_feedback.php SQL Injection, a different vulnerability than CVE-2018-18758.

Published: June 19, 2019; 12:15:10 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-11040

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

Published: June 18, 2019; 08:15:12 PM -04:00
V3: 9.1 CRITICAL
V2: 6.4 MEDIUM
CVE-2019-11039

Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.

Published: June 18, 2019; 08:15:12 PM -04:00
V3: 9.1 CRITICAL
V2: 6.4 MEDIUM
CVE-2019-11038

When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

Published: June 18, 2019; 08:15:12 PM -04:00
V3: 5.3 MEDIUM
V2: 5.0 MEDIUM
CVE-2018-18802

The Tubigan "Welcome to our Resort" 1.0 software allows CSRF via admin/mod_users/controller.php?action=edit.

Published: June 18, 2019; 12:15:10 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-18877

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alternative configuration page config_main.php that allows manipulation of the device.

Published: June 18, 2019; 11:15:11 AM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2018-18876

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue makes it possible to read any file present on the underlying operating system.

Published: June 18, 2019; 11:15:11 AM -04:00
V3: 5.3 MEDIUM
V2: 5.0 MEDIUM
CVE-2018-18875

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a stored Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script via changestationname.php.

Published: June 18, 2019; 11:15:11 AM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2018-18880

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting (XSS) vulnerability allows remote authenticated users to inject arbitrary web script.

Published: June 18, 2019; 10:15:11 AM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2018-18879

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php.

Published: June 18, 2019; 10:15:11 AM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2019-6965

An XSS issue was discovered in i-doit Open 1.12 via the src/tools/php/qr/qr.php url parameter.

Published: June 18, 2019; 09:15:10 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM