National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 26,158 matching records.
Displaying matches 141 through 160.
Vuln ID Summary CVSS Severity
CVE-2016-10753

e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.

Published: May 24, 2019; 02:29:00 PM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2016-10752

serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote attackers to upload and execute arbitrary PHP code because it mishandles an extensionless filename during a rename, as demonstrated by "php" as a filename.

Published: May 24, 2019; 02:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2016-10751

osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the plugin parameter. This is exploitable for remote PHP code execution because an administrator can upload an image that contains PHP code in the EXIF data via index.php?page=ajax&action=ajax_upload.

Published: May 24, 2019; 02:29:00 PM -04:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2019-11604

An issue was discovered in Quest KACE Systems Management Appliance before 9.1. The script at /service/kbot_service_notsoap.php is vulnerable to unauthenticated reflected XSS when user-supplied input to the METHOD GET parameter is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code into the context of the same page.

Published: May 24, 2019; 01:29:02 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10848

Computrols CBAS 18.0.0 allows Username Enumeration.

Published: May 24, 2019; 01:29:02 PM -04:00
V3: 5.3 MEDIUM
V2: 5.0 MEDIUM
CVE-2019-10847

Computrols CBAS 18.0.0 allows Cross-Site Request Forgery.

Published: May 24, 2019; 01:29:02 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2016-8900

Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.

Published: May 24, 2019; 01:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2016-8898

Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.

Published: May 24, 2019; 01:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2016-10245

Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection.

Published: May 24, 2019; 01:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-11876

In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link.

Published: May 24, 2019; 12:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-12312

In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon restart. An attacker can trigger a NULL pointer dereference by initiating an IKEv2 IKE_SA_INIT exchange, followed by a bogus INFORMATIONAL exchange instead of the normallly expected IKE_AUTH exchange. This affects send_v2N_spi_response_from_state() in programs/pluto/ikev2_send.c that will then trigger a NULL pointer dereference leading to a restart of libreswan.

Published: May 24, 2019; 10:29:00 AM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-10850

Computrols CBAS 18.0.0 has Default Credentials.

Published: May 23, 2019; 04:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 10.0 HIGH
CVE-2019-10849

Computrols CBAS 18.0.0 allows unprotected Subversion (SVN) directory / source code disclosure.

Published: May 23, 2019; 04:29:00 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-10846

Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scripting vulnerabilities in the login page and password reset page via the username GET parameter.

Published: May 23, 2019; 04:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10866

In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.

Published: May 23, 2019; 03:29:01 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-10855

Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 with a pw prefix, e.g., if the password is admin, it will calculate the MD5 hash of pwadmin and store it in a MySQL database.

Published: May 23, 2019; 03:29:01 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-10854

Computrols CBAS 18.0.0 allows Authenticated Command Injection.

Published: May 23, 2019; 03:29:00 PM -04:00
V3: 8.8 HIGH
V2: 9.0 HIGH
CVE-2019-10853

Computrols CBAS 18.0.0 allows Authentication Bypass.

Published: May 23, 2019; 03:29:00 PM -04:00
V3: 8.1 HIGH
V2: 8.3 HIGH
CVE-2019-10852

Computrols CBAS 18.0.0 allows Authenticated Blind SQL Injection via the id GET parameter, as demonstrated by the index.php?m=servers&a=start_pulling&id= substring.

Published: May 23, 2019; 03:29:00 PM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2019-10851

Computrols CBAS 18.0.0 has hard-coded encryption keys.

Published: May 23, 2019; 03:29:00 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM