National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 26,394 matching records.
Displaying matches 61 through 80.
Vuln ID Summary CVSS Severity
CVE-2019-14706

A denial of service issue in HTTPD was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker without authorization can upload a file to upload.php with a filename longer than 256 bytes. This will be placed in the updownload area. It will not be deleted, because of a buffer overflow in a Bash command string.

Published: August 06, 2019; 07:15:12 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-14347

Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unprivileged users (editor or developer) to create an administrator account via admin/user/add, as demonstrated by a Python PoC script.

Published: August 06, 2019; 01:15:43 PM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2019-12950

An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.

Published: August 06, 2019; 01:15:43 PM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2019-14696

Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter.

Published: August 06, 2019; 12:15:11 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-14346

Internal/Views/config.php in Schben Adive 2.0.7 allows admin/config CSRF to change a user password.

Published: August 06, 2019; 11:15:13 AM -04:00
V3: 8.8 HIGH
V2: 4.3 MEDIUM
CVE-2019-14695

A SQL injection vulnerability exists in the Sygnoos Popup Builder plugin before 3.45 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via com/libs/Table.php because Subscribers Table ordering is mishandled.

Published: August 06, 2019; 10:15:12 AM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-14664

In Enigmail below 2.1, an attacker in possession of PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, he unknowingly leaks the plaintext of the encrypted message part(s) back to the attacker. This attack variant bypasses protection mechanisms implemented after the "EFAIL" attacks.

Published: August 05, 2019; 04:15:11 PM -04:00
V3: 6.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-12264

Wind River VxWorks 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7 has Incorrect Access Control in IPv4 assignment by the ipdhcpc DHCP client component.

Published: August 05, 2019; 02:15:10 PM -04:00
V3: 7.1 HIGH
V2: 4.8 MEDIUM
CVE-2017-18468

cPanel before 62.0.17 allows demo accounts to execute code via the Htaccess::setphppreference API (SEC-232).

Published: August 05, 2019; 08:15:11 AM -04:00
V3: 6.3 MEDIUM
V2: 6.5 MEDIUM
CVE-2019-7932

A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can execute arbitrary PHP code by creating a malicious sitemap file.

Published: August 02, 2019; 06:15:18 PM -04:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2019-7871

A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection.

Published: August 02, 2019; 06:15:15 PM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2019-14529

OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.

Published: August 02, 2019; 10:15:14 AM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2019-14472

Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO.

Published: August 01, 2019; 11:15:15 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-14471

TestLink 1.9.19 has XSS via the error.php message parameter.

Published: August 01, 2019; 11:15:15 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-13572

The Adenion Blog2Social plugin through 5.5.0 for WordPress allows SQL Injection.

Published: August 01, 2019; 11:15:14 AM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2016-10851

cPanel before 11.54.0.4 allows self XSS in the WHM PHP Configuration editor interface (SEC-84).

Published: August 01, 2019; 11:15:12 AM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2018-20886

cPanel before 74.0.0 insecurely stores phpMyAdmin session files (SEC-418).

Published: August 01, 2019; 10:15:11 AM -04:00
V3: 5.3 MEDIUM
V2: 4.6 MEDIUM
CVE-2019-10189

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in an assignment group could modify group overrides for other groups in the same assignment.

Published: July 31, 2019; 06:15:12 PM -04:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-10188

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Teachers in a quiz group could modify group overrides for other groups in the same quiz.

Published: July 31, 2019; 06:15:12 PM -04:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-10187

A flaw was found in moodle before versions 3.7.1, 3.6.5, 3.5.7. Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.

Published: July 31, 2019; 06:15:12 PM -04:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM