Medium
CVE-2009-1454
Cross-site scripting (XSS) vulnerability in tasks.php in WebCollab before 2.50 (aka Billy Goat) allows remote attackers to inject arbitrary web script or HTML via the selection parameter in a todo ac…
Tag: PHP
All CVEs associated with "PHP". Page 231/312 • 37341 CVEs.
Subscribe CVEs: RSS for “PHP” · RSS (High+Critical only)
About “PHP”
A curated feed of “PHP”-related CVEs appears below. We currently track 37341 CVEs for this tag (all time). In the last 365 days, 6038 were published. Average CVSS is 6.7 (all time; 6.9 over 365d), and 50% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').
In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2009-04-28
Medium
CVE-2009-1453
SQL injection vulnerability in class.eport.php in Tiny Blogr 1.0.0 rc4, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the txtUsername parameter (aka…
High
CVE-2009-1452
Multiple PHP remote file inclusion vulnerabilities in theme/format.php in SMA-DB 0.3.13 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _page_css and (2) _page_javascript pa…
Critical
CVE-2008-6767
wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request.
Medium
CVE-2008-6766
cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to cause a denial of service (excessive shopping carts) via a flood of requests.
Medium
CVE-2008-6764
Cross-site scripting (XSS) vulnerability in login.php in Silentum LoginSys 1.0.0 allows remote attackers to inject arbitrary web script or HTML via the message parameter.
High
CVE-2008-6763
login2.php in Silentum LoginSys 1.0.0 allows remote attackers to bypass authentication and obtain access to an arbitrary account by setting the logged_in cookie to that account's username.
Medium
CVE-2008-6762
Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto…
Critical
CVE-2008-6761
Static code injection vulnerability in admin/install.php in Flexcustomer 0.0.6 might allow remote attackers to inject arbitrary PHP code into const.inc.php via the installdbname parameter (aka the Da…
Medium
CVE-2008-6760
ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to obtain sensitive information via an unauthenticated add and save action for a shopping cart in cart_save.php, which reveals the SQL table…
Medium
CVE-2008-6759
ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to obtain sensitive information via a URL in the POST_DATA parameter to manuals_search.php, which reveals the installation path in an error…
Medium
CVE-2008-6758
Cross-site request forgery (CSRF) vulnerability in cart_save.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to hijack the authentication of arbitrary users for requests that conduc…
Medium
CVE-2008-6757
Cross-site scripting (XSS) vulnerability in manuals_search.php in ViArt Shop (aka Shopping Cart) 3.5 allows remote attackers to inject arbitrary web script or HTML via the manuals_search parameter.
Medium
CVE-2009-1451
Cross-site scripting (XSS) vulnerability in startpage.php in SMA-DB 0.3.12 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
High
CVE-2009-1450
PHP remote file inclusion vulnerability in format.php in SMA-DB 0.3.12 allows remote attackers to execute arbitrary PHP code via a URL in the _page_content parameter.
2009-04-27
Medium
CVE-2009-1448
Cross-site scripting (XSS) vulnerability in apricot.php in LovPop.net APRICOT, probably 1.20, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Medium
CVE-2008-6755
ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, which makes it easier for remote attackers to modify this file by acces…
Medium
CVE-2009-1447
Unrestricted file upload vulnerability in admin/editor/image.php in e-cart.biz Free Shopping Cart allows remote attackers to execute arbitrary code by uploading a file with an executable extension, t…
Medium
CVE-2009-1446
Unrestricted file upload vulnerability in upload.php in Elkagroup Image Gallery 1.0 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then…
High
CVE-2009-1445
Multiple directory traversal vulnerabilities in WebPortal CMS 0.8-beta allow remote attackers to (1) read arbitrary files via directory traversal sequences in the lang parameter to libraries/helpdocs…
High
CVE-2009-1444
PHP remote file inclusion vulnerability in indexk.php in WebPortal CMS 0.8-beta allows remote attackers to execute arbitrary PHP code via a URL in the lib_path parameter.
2009-04-24
High
CVE-2009-1433
SQL injection vulnerability in File::find (filesystem/File.php) in SilverStripe before 2.3.1 allows remote attackers to execute arbitrary SQL commands via the filename parameter.
High
CVE-2009-1411
SQL injection vulnerability in events/inc/events.inc.php in the Events plugin for Seditio CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the c parameter to plug.php.
High
CVE-2009-1410
SQL injection vulnerability in index.php in Quick.Cms.Lite 0.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Medium
CVE-2009-1409
SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL c…
Medium
CVE-2009-1407
Directory traversal vulnerability in config.php in NotFTP 1.3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a certain languages[][file] parameter.
Medium
CVE-2009-1406
Directory traversal vulnerability in cms_detect.php in TotalCalendar 2.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the include parameter.
Medium
CVE-2009-1405
Directory traversal vulnerability in index.php in PastelCMS 0.8.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the se…
Medium
CVE-2009-1404
SQL injection vulnerability in admin.php in PastelCMS 0.8.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user (Username) parameter.
High
CVE-2009-1403
SQL injection vulnerability in product_info.php in CRE Loaded 6.2 allows remote attackers to execute arbitrary SQL commands via the products_id parameter.
High
CVE-2008-6752
adminlogin/password.php in the Twitter Clone (TClone) plugin for ReVou Micro Blogging does not verify the original password before changing passwords, which allows remote attackers to change the admi…
Medium
CVE-2008-6751
Unrestricted file upload vulnerability in index.php in the Twitter Clone (TClone) plugin for ReVou Micro Blogging allows remote attackers to execute arbitrary code by uploading a file with an executa…
Medium
CVE-2008-6750
Unrestricted file upload vulnerability in add.php in FlexPHPDirectory 0.0.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a…
Medium
CVE-2008-6749
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPDirectory 0.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) checku…
Critical
CVE-2008-6748
Eval injection vulnerability in Megacubo 5.0.7 allows remote attackers to inject and execute arbitrary PHP code via the play action in a mega:// URI.
2009-04-23
High
CVE-2008-6745
index.php in BlogPHP 2.0 allows remote attackers to gain administrator privileges via a crafted email parameter in a register2 action.
2009-04-22
Medium
CVE-2009-1369
moziloCMS 1.11 allows remote attackers to obtain sensitive information via the (1) gal[] parameter to gallery.php, (2) page[] and (3) cat[] parameter to index.php, or (4) file[] parameter to download…
High
CVE-2009-1368
Directory traversal vulnerability in index.php in moziloCMS 1.11 allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter. NOTE: this might be the same issue as CVE-2…
Medium
CVE-2009-1367
Cross-site scripting (XSS) vulnerability in index.php in moziloCMS 1.11 allows remote attackers to inject arbitrary web script or HTML via the query parameter in search action, a different issue than…
High
CVE-2008-6743
RSMScript 1.21 allows remote attackers to bypass authentication and gain administrative privileges by setting the verified cookie to an arbitrary value and performing a direct request to (1) delete.p…
Medium
CVE-2009-1362
SQL injection vulnerability in administration/index.php in chCounter 3.1.3 allows remote attackers to execute arbitrary SQL commands via the login_name parameter. NOTE: the provenance of this inform…
Critical
CVE-2009-1361
dig.php in GScripts.net DNS Tools allows remote attackers to execute arbitrary commands via shell metacharacters in the host parameter. NOTE: the provenance of this information is unknown; the detail…
2009-04-21
High
CVE-2008-6741
SQL injection vulnerability in Load.php in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands by setting the db_character_set parameter to a multi…
Medium
CVE-2008-6740
PHP remote file inclusion vulnerability in html/admin/modules/plugin_admin.php in HoMaP-CMS 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the _settings[pluginpath] parameter.
Medium
CVE-2008-6736
Flat Calendar 1.1 does not properly restrict access to administrative functions, which allows remote attackers to (1) add new events via calAdd.php, as reachable from admin/add.php, or (2) delete eve…
Medium
CVE-2008-6735
Directory traversal vulnerability in qc/index.php in ThaiQuickCart 3 allows remote attackers to read arbitrary files via a .. (dot dot) in the sLanguage cookie.
Critical
CVE-2008-6734
Directory traversal vulnerability in Public/index.php in Keller Web Admin CMS 0.94 Pro allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter.
2009-04-20
Medium
CVE-2009-1347
Multiple SQL injection vulnerabilities in stats/index.php in chCounter 3.1.3 allow remote attackers to execute arbitrary SQL commands via (1) the login_name parameter (aka the username field) or (2)…
High
CVE-2009-1346
SQL injection vulnerability in publico/ficha.php in NetHoteles 3.0 allows remote attackers to execute arbitrary SQL commands via the id_establecimiento parameter.
High
CVE-2009-1345
SQL injection vulnerability in document.php in cpCommerce 1.2.8 allows remote attackers to execute arbitrary SQL commands via the id_document parameter.
Critical
CVE-2008-6731
Unrestricted file upload vulnerability in submitlink.php in FlexPHPLink Pro 0.0.7 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessin…
Medium
CVE-2008-6730
Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPLink Pro 0.0.6 and 0.0.7, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) t…
Medium
CVE-2008-6729
Multiple cross-site request forgery (CSRF) vulnerabilities in password.php in PHPmotion 2.1 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests that modify…
High
CVE-2008-6728
SQL injection vulnerability in the Sections module in PHP-Nuke, probably before 8.0, allows remote attackers to execute arbitrary SQL commands via the artid parameter in a printpage action to modules…
Medium
CVE-2008-6727
Cross-site scripting (XSS) vulnerability in Ultimate PHP Board (UPB) 2.2.2, 2.2.1, and earlier 2.x versions allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP head…
2009-04-17
Medium
CVE-2009-1320
Multiple cross-site scripting (XSS) vulnerabilities in include/zstore.php in Zazzle Store Builder 1.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) gridPage and (2) grid…
High
CVE-2009-1319
Directory traversal vulnerability in includes/ini.inc.php in GuestCal 2.1 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the lang parameter to index.php.
Medium
CVE-2009-1318
Directory traversal vulnerability in index.php in Jamroom 3.1.2, 3.2.3 through 3.2.6, 4.0.2, and possibly other versions before 3.4.0 allows remote attackers to include arbitrary files via directory…
Medium
CVE-2009-1317
Multiple SQL injection vulnerabilities in Aqua CMS 1.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) userSID cookie parameter to droplets/fu…
High
CVE-2009-1316
Multiple SQL injection vulnerabilities in AbleSpace 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to events_view.php and the (2) id parameter to events_clndr_…
Medium
CVE-2009-1315
Multiple cross-site scripting (XSS) vulnerabilities in AbleSpace 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) gid parameter to groups_profile.php, (2) cat_id and (3)…
Medium
CVE-2008-6726
Multiple directory traversal vulnerabilities in CMScout 2.06, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the bit param…
Medium
CVE-2008-6725
Multiple SQL injection vulnerabilities in CMScout 2.06 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) index.php in a mythings page (mythings.php) and (…
2009-04-16
High
CVE-2009-1285
Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configur…
2009-04-14
High
CVE-2008-6721
SQL injection vulnerability in index.php in AJ Square AJ Article allows remote attackers to execute arbitrary SQL commands via the txtName parameter (aka the username field).
2009-04-13
High
CVE-2008-6720
SQL injection vulnerability in admin/adm_login.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the admin_username parameter (aka the admin…
High
CVE-2008-6719
U&M Software Event Lister (aka JustListIt) 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via…
High
CVE-2008-6718
U&M Software JustBookIt 1.0 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct request to…
High
CVE-2008-6717
U&M Software Signup 1.0 and 1.1 does not require administrative authentication for all scripts in the admin/ directory, which allows remote attackers to have an unspecified impact via a direct reques…
High
CVE-2008-6716
homeadmin/adminhome.php in Pre ADS Portal 2.0 and earlier does not require administrative authentication, which allows remote attackers to have an unspecified impact via a direct request.
Medium
CVE-2008-6715
Multiple cross-site scripting (XSS) vulnerabilities in Pre ADS Portal 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the msg parameter to (1) homeadmin/adminhome.ph…
2009-04-10
High
CVE-2008-6714
admin.php in xeCMS 1.0.0 RC2 and earlier allows remote attackers to bypass authentication and access the admin panel by setting the xecms_username cookie.
Medium
CVE-2008-6700
Multiple cross-site scripting (XSS) vulnerabilities in Butterfly Organizer 2.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) mytable parameter to view.php, (2) mytable p…
Medium
CVE-2008-6684
Unrestricted file upload vulnerability in editimage.php in Apartment Search Script allows remote attackers to execute arbitrary code by uploading a file with an executable extension and a GIF header,…
Medium
CVE-2008-6683
Cross-site scripting (XSS) vulnerability in listtest.php in Apartment Search Script allows remote attackers to inject arbitrary web script or HTML via the r parameter.
2009-04-09
High
CVE-2009-1282
SQL injection vulnerability in private/system/lib-session.php in glFusion 1.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the glf_session cookie parameter.
High
CVE-2009-1278
Static code injection vulnerability in forms/ajax/configure.php in Gravity Board X (GBX) 2.0 BETA allows remote attackers to inject arbitrary PHP code into config.php via the configure action to inde…
High
CVE-2009-1277
SQL injection vulnerability in index.php in Gravity Board X (GBX) 2.0 BETA allows remote attackers to execute arbitrary SQL commands via the member_id parameter in a viewprofile action. NOTE: the bo…
2009-04-08
Medium
CVE-2009-1272
The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x before 5.2.9 allows context-dependent attackers to cause a denial of service (crash) via a ZIP file that contains filenames with rela…
Medium
CVE-2009-1271
The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before 5.2.9 allows remote attackers to cause a denial of service (segmentation fault) via a malformed string to the json_decode API fun…
High
CVE-2008-6669
viewrq.php in nweb2fax 0.2.7 and earlier allows remote attackers to execute arbitrary code via shell metacharacters in the var_filename parameter in a (1) tif or (2) pdf format action.
Medium
CVE-2008-6668
Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id parameter to comm.php and (2) var_filename p…
High
CVE-2008-6667
A+ PHP Scripts News Management System (NMS) allows remote attackers to bypass authentication and gain administrator privileges by setting the mobsuser and mobspass cookies to 1.
Medium
CVE-2008-6665
change.php in Ananta CMS 1.0b5, with magic_quotes_gpc disabled, allows remote attackers to gain administrator privileges via a crafted email parameter, possibly related to code injection.
High
CVE-2008-6664
action.php in SH-News 3.0 allows remote attackers to bypass authentication and gain administrator privileges by setting the shuser and shpass cookies to non-zero values.
High
CVE-2008-6663
SQL injection vulnerability in profile.php in PHPAuctions.info PHPAuctions (aka PHPAuctionSystem) allows remote attackers to execute arbitrary SQL commands via the auction_id parameter, a different v…
2009-04-07
High
CVE-2009-1263
SQL injection vulnerability in sub_commententry.php in the BookJoomlas (com_bookjoomlas) component 0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gbid parameter in…
Medium
CVE-2009-1259
SQL injection vulnerability in inc/bb/topic.php in Insane Visions AdaptBB 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the topic_id parameter…
High
CVE-2009-1258
SQL injection vulnerability in the RD-Autos (com_rdautos) component 1.5.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the makeid parameter in index.php. NOTE: the prove…
Medium
CVE-2008-6660
Unrestricted file upload vulnerability in bigdump.php in Alexey Ozerov BigDump 0.29b allows remote attackers to execute arbitrary code by uploading a file with an executable extension followed by a .…
Medium
CVE-2008-6659
Directory traversal vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote authenticated users to configure arbitrary local files for execution…
Medium
CVE-2008-6658
Directory traversal vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote authenticated administrators to install packages from arbitrary dire…
Medium
CVE-2008-6657
Cross-site request forgery (CSRF) vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote attackers to hijack the authentication of admins for r…
High
CVE-2008-6656
Multiple SQL injection vulnerabilities in Open Auto Classifieds 1.4.3b allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to listings.php and (2) the username field to…
Medium
CVE-2008-6655
Multiple cross-site scripting (XSS) vulnerabilities in GEDCOM_TO_MYSQL 2 allow remote attackers to inject arbitrary web script or HTML via the (1) nom_branche and (2) nom parameters to php/prenom.php…
Medium
CVE-2008-6654
Cross-site scripting (XSS) vulnerability in search_results.php in InfoBiz Server allows remote attackers to inject arbitrary web script or HTML via the keywords parameter.
High
CVE-2008-6653
SQL injection vulnerability in webhosting.php in the Webhosting Component (com_webhosting) module before 1.1 RC7 for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via th…
High
CVE-2008-6652
SQL injection vulnerability in asd.php in OneCMS 2.5 allows remote attackers to execute arbitrary SQL commands via the sitename parameter.
Critical
CVE-2008-6651
Static code injection vulnerability in edithistory.php in OxYProject OxYBox 0.85 allows remote attackers to inject arbitrary PHP code into oxyhistory.php via the oxymsg parameter.
Medium
CVE-2008-6650
del.php in miniBloggie 1.0 allows remote attackers to delete arbitrary posts via a direct request with a modified post_id parameter, a different vulnerability than CVE-2008-4628.
High
CVE-2008-6649
SQL injection vulnerability in manager/image_details_editor.php in Ktools PhotoStore 2.5, 2.9.8, 3.1.0, and other versions through 3.5.2 allows remote attackers to execute arbitrary SQL commands via…
High
CVE-2008-6648
SQL injection vulnerability in crumbs.php in Ktools PhotoStore 3.4.3 and 3.5.2 allows remote attackers to execute arbitrary SQL commands via the gid parameter to about_us.php. NOTE: this might be th…
High
CVE-2008-6647
SQL injection vulnerability in gallery.php in Ktools PhotoStore 3.4.3 allows remote attackers to execute arbitrary SQL commands via the gid parameter.
Medium
CVE-2008-6646
Cross-site scripting (XSS) vulnerability in index.php in CoronaMatrix phpAddressBook 2.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
Medium
CVE-2008-6643
LokiCMS 0.3.4 and possibly earlier versions does not properly restrict access to administrative functions, which allows remote attackers to bypass intended restrictions and modify configuration setti…
High
CVE-2008-6642
SQL injection vulnerability in view.php in DotContent FluentCMS 4.x allows remote attackers to execute arbitrary SQL commands via the sid parameter. NOTE: some of these details are obtained from thi…
Medium
CVE-2008-6639
Cross-site request forgery (CSRF) vulnerability in admin.php in AjaXplorer 2.3.3 and 2.3.4 allows remote attackers to hijack the authentication of administrators for requests that modify passwords vi…
Medium
CVE-2008-6637
Multiple cross-site scripting (XSS) vulnerabilities in forgotPW.php in Library Video Company SAFARI Montage 3.1.x allow remote attackers to inject arbitrary web script or HTML via the (1) school and…
Medium
CVE-2008-6636
PHP remote file inclusion vulnerability in skins/default.php in Geody Labs Dagger - The Cutting Edge r12feb2008, when register_globals is enabled, allows remote attackers to execute arbitrary PHP cod…
Medium
CVE-2008-6635
PHP remote file inclusion vulnerability in skins/default.php in Geody Labs Dagger - The Cutting Edge r12feb2008, when register_globals is enabled, allows remote attackers to execute arbitrary PHP cod…
High
CVE-2008-6634
SQL injection vulnerability in RoomPHPlanning 1.5 allows remote attackers to execute arbitrary SQL commands via the idroom parameter to weekview.php.
High
CVE-2008-6633
SQL injection vulnerability in RoomPHPlanning 1.5 allows remote attackers to execute arbitrary SQL commands via the idresa parameter to resaopen.php.
High
CVE-2008-6632
SQL injection vulnerability in func/login.php in MercuryBoard 1.1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header ($_SERVER['HTTP_USER_AGENT']).
Medium
CVE-2008-6631
Multiple cross-site scripting (XSS) vulnerabilities in index.php in BlogPHP 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) user parameter in a sendmessage action and th…
2009-04-06
Medium
CVE-2008-6629
Cross-site scripting (XSS) vulnerability in detail.php in WEBBDOMAIN Multi Languages WebShop Online 1.02 allows remote attackers to inject arbitrary web script or HTML via the name parameter.
High
CVE-2008-6627
SQL injection vulnerability in getin.php in WEBBDOMAIN WebShop 1.2, 1.1, 1.02, and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
High
CVE-2008-6626
SQL injection vulnerability in getin.php in WEBBDOMAIN Quiz 1.02 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
High
CVE-2008-6625
SQL injection vulnerability in getin.php in WEBBDOMAIN Polls (aka Poll) 1.0 and 1.01 allows remote attackers to execute arbitrary SQL commands via the username parameter.
High
CVE-2008-6624
SQL injection vulnerability in getin.php in WEBBDOMAIN Petition 1.02, 2.0, and 3.0 allows remote attackers to execute arbitrary SQL commands via the username parameter.
High
CVE-2008-6623
SQL injection vulnerability in getin.php in WEBBDOMAIN Post Card (aka Web Postcards) 1.02 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.