Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
There are 28,656 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2021-21260

Online Invoicing System (OIS) is open source software which is a lean invoicing system for small businesses, consultants and freelancers created using AppGini. In OIS version 4.0 there is a stored XSS which can enables an attacker takeover of the admin account through a payload that extracts a csrf token and sends a request to change password. It has been found that Item description is reflected without sanitization in app/items_view.php which enables the malicious scenario.

Published: January 22, 2021; 1:15:12 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2020-35272

Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Admin Portal in the Task and Description fields.

Published: January 20, 2021; 11:15:14 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2020-35271

Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Employees, First Name and Last Name fields.

Published: January 20, 2021; 11:15:14 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2020-19364

OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php.

Published: January 19, 2021; 8:15:13 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2020-19362

Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

Published: January 19, 2021; 8:15:13 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-19361

Reflected XSS in Medintux v2.16.000 CCAM.php by manipulating the mot1 parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.

Published: January 19, 2021; 8:15:13 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-23342

A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.

Published: January 19, 2021; 9:15:11 AM -0500
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-23522

Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.

Published: January 19, 2021; 8:15:11 AM -0500
V3.1: 6.8 MEDIUM
V2.0: 6.0 MEDIUM
CVE-2020-36193

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Published: January 18, 2021; 3:15:12 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-36192

An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php page, as well as on the list.php page (a pop-up on the Affected Issues id hyperlink). Additionally, if the attacker has "Update threshold" in the plugin's configuration (set to the "updater" access level by default), then they can link any Issue to a Changeset by entering the Issue's Id, even if they do not have access to it.

Published: January 18, 2021; 3:15:12 PM -0500
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2021-25295

OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues.

Published: January 18, 2021; 1:15:13 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2021-25294

OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the parametersactivity:ActivityDataGrid parameter. The PHP object injection exploit chain can leverage an __destruct magic method in guzzlehttp.

Published: January 18, 2021; 1:15:12 AM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2020-35749

Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simple Board Job plugin 2.9.3 and earlier for WordPress allows remote attackers to read arbitrary files via the sjb_file parameter to wp-admin/post.php.

Published: January 15, 2021; 12:15:13 PM -0500
V3.1: 7.7 HIGH
V2.0: 4.0 MEDIUM
CVE-2020-35748

Cross-site scripting (XSS) vulnerability in models/list-table.php in the FV Flowplayer Video Player plugin before 7.4.37.727 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the fv_wp_fvvideoplayer_src JSON field in the data parameter.

Published: January 15, 2021; 12:15:12 PM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-23835

An issue was discovered in flatCore before 2.0.0 build 139. A local file disclosure vulnerability was identified in the docs_file HTTP request body parameter for the acp interface. This can be exploited with admin access rights. The affected parameter (which retrieves the contents of the specified file) was found to be accepting malicious user input without proper sanitization, thus leading to retrieval of backend server sensitive files, e.g., /etc/passwd, SQLite database files, PHP source code, etc.

Published: January 15, 2021; 2:15:13 AM -0500
V3.1: 4.9 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2020-35582

A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.

Published: January 15, 2021; 2:15:13 AM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-35581

A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.

Published: January 15, 2021; 2:15:13 AM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-23653

An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution.

Published: January 13, 2021; 1:15:14 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-35687

PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim.

Published: January 13, 2021; 12:15:12 PM -0500
V3.1: 4.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-23631

Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA CMS 1.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via the tongji parameter.

Published: January 11, 2021; 3:15:16 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM