National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 27,058 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2019-5112

Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_status was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system.

Published: December 03, 2019; 05:15:15 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2019-5111

Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_cat was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability, potentially allowing exfiltration of the database, user credentials and, in certain configurations, access the underlying operating system.

Published: December 03, 2019; 05:15:15 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2019-16885

In OkayCMS through 2.3.4, an unauthenticated attacker can achieve remote code execution by injecting a malicious PHP object via a crafted cookie. This could happen at two places: first in view/ProductsView.php using the cookie price_filter, and second in api/Comparison.php via the cookie comparison.

Published: December 03, 2019; 03:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2012-4526

piwigo has XSS in password.php (incomplete fix for CVE-2012-4525)

Published: December 02, 2019; 01:15:09 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2012-4525

piwigo has XSS in password.php

Published: December 02, 2019; 01:15:09 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-19020

An issue was discovered in TitanHQ WebTitan before 5.18. In the administration web interface it is possible to upload a crafted backup file that enables an attacker to execute arbitrary code by overwriting existing files or adding new PHP files under the web root. This requires the attacker to have access to a valid web interface account.

Published: December 02, 2019; 12:15:13 PM -05:00
V3.1: 7.2 HIGH
    V2: 9.0 HIGH
CVE-2019-19016

An issue was discovered in TitanHQ WebTitan before 5.18. Some functions, such as /history-x.php, of the administration interface are vulnerable to SQL Injection through the results parameter. This could be used by an attacker to extract sensitive information from the appliance database.

Published: December 02, 2019; 12:15:12 PM -05:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-19502

pluginconfig.php in the Image Uploader and Browser plugin before 4.1.9 for CKEditor mishandles certain characters in pathnames.

Published: December 02, 2019; 11:15:12 AM -05:00
(not available)
CVE-2019-19491

TestLink 1.9.19 has XSS via the lib/testcases/archiveData.php edit parameter, the index.php reqURI parameter, or the URI in a lib/testcases/tcEdit.php?doAction=doDeleteStep request.

Published: December 01, 2019; 09:15:13 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-19388

A cross-site scripting (XSS) vulnerability in app/dialplans/dialplan_detail_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the dialplan_uuid parameter.

Published: November 28, 2019; 07:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-19387

A cross-site scripting (XSS) vulnerability in app/fifo_list/fifo_interactive.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the c parameter.

Published: November 28, 2019; 07:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-19386

A cross-site scripting (XSS) vulnerability in app/voicemail_greetings/voicemail_greeting_edit.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id and/or voicemail_id parameter.

Published: November 28, 2019; 07:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-19385

A cross-site scripting (XSS) vulnerability in app/dialplans/dialplans.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the app_uuid parameter.

Published: November 28, 2019; 07:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-19384

A cross-site scripting (XSS) vulnerability in app/fax/fax_log_view.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the fax_uuid parameter.

Published: November 28, 2019; 07:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-19379

In app/Controller/TagsController.php in MISP 2.4.118, users can bypass intended restrictions on tagging data.

Published: November 28, 2019; 12:15:12 PM -05:00
(not available)
CVE-2019-19372

** DISPUTED ** A downloadFile.php download_file path traversal vulnerability in rConfig through 3.9.3 allows attackers to list files in arbitrary folders and potentially download files. NOTE: the discoverer later reported that there was not a "fully working exploit."

Published: November 28, 2019; 10:15:10 AM -05:00
(not available)
CVE-2019-19367

A cross-site scripting (XSS) vulnerability in app/fax/fax_files.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter.

Published: November 27, 2019; 03:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-19366

A cross-site scripting (XSS) vulnerability in app/xml_cdr/xml_cdr_search.php in FusionPBX 4.4.1 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.

Published: November 27, 2019; 03:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-15300

A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query.

Published: November 27, 2019; 09:15:11 AM -05:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2019-15298

A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. This allows one to inject Linux commands directly.

Published: November 27, 2019; 09:15:11 AM -05:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM