National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 25,797 matching records.
Displaying matches 261 through 280.
Vuln ID Summary CVSS Severity
CVE-2013-2516

Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.

Published: February 15, 2019; 04:29:00 PM -05:00
V3: 8.8 HIGH
V2: 9.3 HIGH
CVE-2019-8347

BEESCMS 4.0 has a CSRF vulnerability to add arbitrary VIP accounts via the admin/admin_member.php?action=add&nav=add_web_user&admin_p_nav=user URI.

Published: February 15, 2019; 10:29:00 AM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-8335

An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerability via index.php?a=Index&c=Channel&m=Home&id=[XSS].

Published: February 13, 2019; 11:29:00 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-8334

An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerability via index.php?a=Index&c=Channel&m=Home&viewid=[XSS].

Published: February 13, 2019; 11:29:00 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-7753

Verydows 2.0 has XSS via the index.php?m=api&c=stats&a=count referrer parameter.

Published: February 12, 2019; 07:29:00 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-7748

_includes\online.php in DbNinja 3.2.7 allows XSS via the data.php task parameter if _users/admin/tasks.php exists.

Published: February 11, 2019; 04:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-7747

DbNinja 3.2.7 allows session fixation via the data.php sessid parameter.

Published: February 11, 2019; 04:29:00 PM -05:00
V3: 9.6 CRITICAL
V2: 6.8 MEDIUM
CVE-2019-7738

C.P.Sub before 5.3 allows CSRF via a manage.php?p=article_del&id= URI.

Published: February 11, 2019; 04:29:00 PM -05:00
V3: 6.5 MEDIUM
V2: 5.8 MEDIUM
CVE-2019-7737

A CSRF vulnerability was found in Verydows v2.0 that can add an admin account via index.php?m=backend&c=admin&a=add&step=submit.

Published: February 11, 2019; 04:29:00 PM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-7731

MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an attacker writes shell code into the database, and executes the Backup Database function with a .php filename for the backup's archive file.

Published: February 11, 2019; 12:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-7721

lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the index.php?action=save name and editordata parameters.

Published: February 10, 2019; 11:29:00 PM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-7720

taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request.

Published: February 10, 2019; 11:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-7719

Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request.

Published: February 10, 2019; 11:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-7718

An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=<?php and admin/databack/bakup_tables.php?2=file_put_contents URIs because app/system/databack/admin/index.class.php creates bakup_tables.php temporarily.

Published: February 10, 2019; 11:29:00 PM -05:00
V3: 8.1 HIGH
V2: 6.8 MEDIUM
CVE-2018-20775

admin/?/plugin/file_manager in Frog CMS 0.9.5 allows PHP code execution by creating a new .php file containing PHP code, and then visiting this file under the public/ URI.

Published: February 10, 2019; 09:29:01 PM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2018-20773

Frog CMS 0.9.5 allows PHP code execution by visiting admin/?/page/edit/1 and inserting additional <?php lines.

Published: February 10, 2019; 09:29:00 PM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2018-20772

Frog CMS 0.9.5 allows PHP code execution via <?php to the admin/?/layout/edit/1 URI.

Published: February 10, 2019; 09:29:00 PM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2018-20768

An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. An attacker can execute PHP code by leveraging a writable file.

Published: February 10, 2019; 12:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-7692

install/install.php in CIM 0.9.3 allows remote attackers to execute arbitrary PHP code via a crafted prefix value because of configuration file mishandling in the N=83 case, as demonstrated by a call to the PHP fputs function that creates a .php file in the public folder.

Published: February 10, 2019; 11:29:00 AM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-7648

controller/fetchpwd.php and controller/doAction.php in Hotels_Server through 2018-11-05 rely on base64 in an attempt to protect password storage.

Published: February 08, 2019; 12:29:00 PM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM