National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 25,780 matching records.
Displaying matches 141 through 160.
Vuln ID Summary CVSS Severity
CVE-2019-9606

PHP Scripts Mall Personal Video Collection Script 4.0.4 has Stored XSS via the "Update profile" feature.

Published: March 06, 2019; 05:29:00 PM -05:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2019-9603

MiniCMS 1.10 allows mc-admin/post.php?state=publish&delete= CSRF to delete articles, a different vulnerability than CVE-2018-18891.

Published: March 06, 2019; 02:29:00 PM -05:00
V3: 6.5 MEDIUM
V2: 5.8 MEDIUM
CVE-2019-9595

AppCMS 2.0.101 allows XSS via the upload/callback.php params parameter.

Published: March 06, 2019; 11:29:00 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9594

BlueCMS 1.6 allows SQL Injection via the user_id parameter in an uploads/admin/user.php?act=edit request.

Published: March 06, 2019; 11:29:00 AM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-9589

There is a NULL pointer dereference vulnerability in PSOutputDev::setupResources() located in PSOutputDev.cc in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Published: March 06, 2019; 03:29:00 AM -05:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-9588

There is an Invalid memory access in gAtomicIncrement() located at GMutex.h in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Published: March 06, 2019; 03:29:00 AM -05:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-9587

There is a stack consumption issue in md5Round1() located in Decrypt.cc in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to Catalog::countPageTree.

Published: March 06, 2019; 03:29:00 AM -05:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-9581

phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension.

Published: March 05, 2019; 07:29:01 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-9576

The Blog2Social plugin before 5.0.3 for WordPress allows wp-admin/admin.php?page=blog2social-ship XSS.

Published: March 05, 2019; 04:29:01 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9575

The Quiz And Survey Master plugin 6.0.4 for WordPress allows wp-admin/admin.php?page=mlw_quiz_results quiz_id XSS.

Published: March 05, 2019; 04:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9572

SchoolCMS version 2.3.1 allows file upload via the theme upload feature at admin.php?m=admin&c=theme&a=upload by using the .zip extension along with the _Static substring, changing the Content-Type to application/zip, and placing PHP code after the ZIP header. This ultimately allows execution of arbitrary PHP code in Public\Home\1_Static.php because of mishandling in the Application\Admin\Controller\ThemeController.class.php Upload() function.

Published: March 05, 2019; 09:29:00 AM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2019-9568

The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission.

Published: March 04, 2019; 01:29:00 PM -05:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-9566

FlarumChina v0.1.0-beta.7C has SQL injection via a /?q= request.

Published: March 04, 2019; 01:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-9563

In BlueMind 3.5.x before 3.5.11 Hotfix 7 and 4.x before 4.0-beta3, the contact application mishandles temporary uploads.

Published: March 04, 2019; 03:29:00 AM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-9551

An issue was discovered in DOYO (aka doyocms) 2.3 through 2015-05-06. It has admin.php XSS.

Published: March 03, 2019; 11:29:00 PM -05:00
V3: 4.8 MEDIUM
V2: 3.5 LOW
CVE-2019-9550

DhCms through 2017-09-18 has admin.php?r=admin/Index/index XSS.

Published: March 03, 2019; 02:29:00 PM -05:00
V3: 4.8 MEDIUM
V2: 3.5 LOW
CVE-2019-9549

An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=user&act=addnew URI, as demonstrated by adding a level=1 account, a similar issue to CVE-2018-18935.

Published: March 03, 2019; 02:29:00 PM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-9227

An issue was discovered in baigo CMS 2.1.1. There is a vulnerability that allows remote attackers to execute arbitrary code. A BG_SITE_NAME parameter with malicious code can be written into the opt_base.inc.php file.

Published: February 28, 2019; 09:29:00 AM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-9226

An issue was discovered in baigo CMS 2.1.1. There is a persistent XSS vulnerability that allows remote attackers to inject arbitrary web script or HTML via the opt[base][BG_SITE_NAME] parameter to the bg_console/index.php?m=opt&c=request URI.

Published: February 28, 2019; 09:29:00 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-8410

Maccms 8.0 allows XSS via the inc/config/cache.php t_key parameter because template/paody/html/vod_type.html mishandles the keywords parameter, and a/tpl/module/db.php only filters the t_name parameter (not t_key).

Published: February 27, 2019; 12:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM