National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 27,209 matching records.
Displaying matches 201 through 220.
Vuln ID Summary CVSS Severity
CVE-2019-19207

rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.

Published: November 21, 2019; 05:15:15 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2012-1001

Multiple cross-site scripting (XSS) vulnerabilities in Chyrp before 2.1.2 and before 2.5 Beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) content parameter to includes/ajax.php or (2) body parameter to includes/error.php.

Published: November 21, 2019; 05:15:15 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2013-2093

Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.

Published: November 20, 2019; 04:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2013-2092

Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.

Published: November 20, 2019; 04:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2013-2091

SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.

Published: November 20, 2019; 03:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2013-1817

MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.

Published: November 20, 2019; 03:15:11 PM -05:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2011-4455

Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.

Published: November 20, 2019; 02:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2011-4454

Multiple cross-site scripting vulnerabilities in Tiki 8.0 RC1 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-remind_password.php, (2) tiki-index.php, (3) tiki-login_scr.php, or (4) tiki-index.

Published: November 20, 2019; 02:15:10 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2011-1028

The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smarty_internal_compile_private_special_variable.php file.

Published: November 20, 2019; 10:15:11 AM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-10766

Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL Injection in the limit() function due to improper sanitization.

Published: November 19, 2019; 03:15:12 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-10764

In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

Published: November 18, 2019; 05:15:11 PM -05:00
V3.1: 7.4 HIGH
    V2: 5.8 MEDIUM
CVE-2019-10763

pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attacker with limited privileges (classes permission) can achieve a SQL injection that can lead in data leakage. The vulnerability can be exploited via 'id', 'storeId', 'pageSize' and 'tables' parameters, using a payload for trigger a time based or error based sql injection.

Published: November 18, 2019; 03:15:11 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2019-14467

The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code Execution by creating an album and attaching a malicious PHP file in the cover photo album, because the file extension is not checked.

Published: November 18, 2019; 11:15:11 AM -05:00
V3.1: 7.8 HIGH
    V2: 4.6 MEDIUM
CVE-2019-14343

TemaTres 3.0 has stored XSS via the value parameter to the vocab/admin.php?vocabulario_id=list URI.

Published: November 15, 2019; 08:15:10 AM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2019-18982

bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.

Published: November 15, 2019; 12:15:12 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2013-4108

Multiple unspecified vulnerabilities in Cryptocat Project Cryptocat 2.0.18 have unknown impact and attack vectors.

Published: November 14, 2019; 03:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2013-4106

A Cross-site scripting (XSS) vulnerability exists in Conversation Overview Nickname in Cryptocat before 2.0.22.

Published: November 14, 2019; 03:15:10 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2013-4109

An unspecified cross-site scripting (XSS) vulnerability exists in Cryptocat Message Handling 1.1.165.

Published: November 14, 2019; 02:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2012-1170

Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough

Published: November 14, 2019; 12:15:13 PM -05:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2012-1169

Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs.

Published: November 14, 2019; 12:15:12 PM -05:00
V3.1: 5.3 MEDIUM
    V2: 5.0 MEDIUM