National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 25,994 matching records.
Displaying matches 81 through 100.
Vuln ID Summary CVSS Severity
CVE-2019-11617

doorGets 7.0 has a CSRF vulnerability in /doorgets/app/requests/user/configurationRequest.php. A remote attacker can exploit this vulnerability for "Google Analytics code" modification.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-11616

doorGets 7.0 has a sensitive information disclosure vulnerability in /setup/temp/admin.php and /setup/temp/database.php. A remote unauthenticated attacker could exploit this vulnerability to obtain the administrator password.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 9.8 CRITICAL
V2: 5.0 MEDIUM
CVE-2019-11615

/fileman/php/upload.php in doorGets 7.0 has an arbitrary file upload vulnerability. A remote normal registered user can use this vulnerability to upload backdoor files to control the server.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2019-11614

doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/views/ajax/commentView.php. A remote unauthorized attacker could exploit the vulnerability to obtain database sensitive information.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-11613

doorGets 7.0 has a SQL injection vulnerability in /doorgets/app/views/ajax/contactView.php. A remote normal registered user could exploit the vulnerability to obtain database sensitive information.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-11612

doorGets 7.0 has an arbitrary file deletion vulnerability in /fileman/php/deletefile.php. A remote unauthenticated attacker can exploit this vulnerability to delete arbitrary files.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 7.5 HIGH
V2: 6.4 MEDIUM
CVE-2019-11611

doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/download.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-11610

doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/downloaddir.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-11609

doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/movefile.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information or make the server unserviceable.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 8.2 HIGH
V2: 6.4 MEDIUM
CVE-2019-11608

doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/renamefile.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information or make the server unserviceable.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 8.2 HIGH
V2: 6.4 MEDIUM
CVE-2019-11607

doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/copydir.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-11606

doorGets 7.0 has a sensitive information disclosure vulnerability in /fileman/php/copyfile.php. A remote unauthenticated attacker can exploit this vulnerability to obtain server-sensitive information.

Published: April 30, 2019; 04:29:01 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2015-9286

Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.

Published: April 30, 2019; 10:29:00 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-11592

WeBid 1.2.2 has reflected XSS via the id parameter to admin/deletenews.php, admin/editbannersuser.php, admin/editfaqscategory.php, or admin/excludeuser.php, or the offset parameter to admin/edituser.php.

Published: April 29, 2019; 10:29:00 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-11591

The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.

Published: April 29, 2019; 10:29:00 AM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-11590

The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.

Published: April 29, 2019; 10:29:00 AM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-11568

An issue was discovered in AikCms v2.0. There is a File upload vulnerability, as demonstrated by an admin/page/system/nav.php request with PHP code in a .php file with the application/octet-stream content type.

Published: April 27, 2019; 10:29:00 AM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-11567

An issue was discovered in AikCms v2.0. There is a SQL Injection vulnerability via $_GET['del'], as demonstrated by an admin/page/system/nav.php?del= URI.

Published: April 27, 2019; 10:29:00 AM -04:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2019-11557

The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized.

Published: April 26, 2019; 06:29:00 PM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-15584

Cross-Site Scripting (XSS) vulnerability in adm/boardgroup_form_update.php and adm/boardgroup_list_update.php in gnuboard5 before 5.3.1.6 allows remote attackers to inject arbitrary web script or HTML.

Published: April 26, 2019; 04:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM