National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 25,990 matching records.
Displaying matches 201 through 220.
Vuln ID Summary CVSS Severity
CVE-2019-10021

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function ImageStream::ImageStream at Stream.cc for nComps.

Published: March 24, 2019; 08:29:05 PM -04:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10020

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function Splash::scaleImageYuXu at Splash.cc for x Bresenham parameters.

Published: March 24, 2019; 08:29:05 PM -04:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10019

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PSOutputDev::checkPageSlice at PSOutputDev.cc for nStripes.

Published: March 24, 2019; 08:29:05 PM -04:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10018

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case.

Published: March 24, 2019; 08:29:05 PM -04:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10017

CMS Made Simple 2.2.10 has XSS via the moduleinterface.php Name field, which is reachable via an "Add a new Profile" action to the File Picker.

Published: March 24, 2019; 06:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-10015

baigoStudio baigoSSO v3.0.1 allows remote attackers to execute arbitrary PHP code via the first form field of a configuration screen, because this code is written to the BG_SITE_NAME field in the opt_base.inc.php file.

Published: March 24, 2019; 06:29:00 PM -04:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2019-10014

In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated.

Published: March 24, 2019; 06:29:00 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-10010

Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583.

Published: March 24, 2019; 02:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9978

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

Published: March 24, 2019; 11:29:00 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9960

The downloadZip function in application/controllers/admin/export.php in LimeSurvey through 3.16.1+190225 allows a relative path.

Published: March 23, 2019; 09:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-9942

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.

Published: March 23, 2019; 11:29:00 AM -04:00
V3: 3.7 LOW
V2: 4.3 MEDIUM
CVE-2019-9649

An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. Using the MDTM FTP command, a remote attacker can use a directory traversal technique (..\..\) to browse outside the root directory to determine the existence of a file on the operating system, and its last modified date.

Published: March 22, 2019; 04:29:00 PM -04:00
V3: 5.3 MEDIUM
V2: 5.0 MEDIUM
CVE-2019-9648

An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.

Published: March 22, 2019; 03:29:00 PM -04:00
V3: 5.3 MEDIUM
V2: 5.0 MEDIUM
CVE-2019-9925

S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter.

Published: March 22, 2019; 04:29:00 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9915

GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2019-9914

The yop-poll plugin before 6.0.3 for WordPress has wp-admin/admin.php?page=yop-polls&action=view-votes poll_id XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9913

The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9912

The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATH_INFO.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9911

The social-networks-auto-poster-facebook-twitter-g plugin before 4.2.8 for WordPress has wp-admin/admin.php?page=nxssnap-reposter&action=edit item XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9910

The kingcomposer plugin 2.7.6 for WordPress has wp-admin/admin.php?page=kc-mapper id XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM