CVE Daily
← All tags

Tag: PHP

All CVEs associated with "PHP". Page 235/312 • 37336 CVEs.

Subscribe CVEs: RSS for “PHP”  ·  RSS (High+Critical only)

About “PHP”

A curated feed of “PHP”-related CVEs appears below. We currently track 37336 CVEs for this tag (all time). In the last 365 days, 6046 were published. Average CVSS is 6.7 (all time; 6.9 over 365d), and 50% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2009-02-18
Medium

CVE-2008-6159

Content Management Made Easy (CMME) 1.19 allows remote attackers to obtain system information via a direct request to info.php, which invokes the phpinfo function.

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2009-02-17
High

CVE-2009-0610

Multiple static code injection vulnerabilities in post.php in Simple PHP News 1.0 final allow remote attackers to inject arbitrary PHP code into news.txt via the (1) title or (2) date parameter, and…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2009-02-16
High

CVE-2009-0604

SQL injection vulnerability in index.php in PHP Director 0.21 and earlier allows remote attackers to execute arbitrary SQL commands via the searching parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Low

CVE-2009-0603

Cross-site scripting (XSS) vulnerability in index.php in the Link module 5.x-2.5 for Drupal 5.10 allows remote authenticated users, with "administer content types" privileges, to inject arbitrary web…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2009-0602

Unrestricted file upload vulnerability in upload.php in WikkiTikkiTavi 1.11 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2008-6156

SQL injection vulnerability in editCampaign.php in AdMan 1.1.20070907 allows remote authenticated users to execute arbitrary SQL commands via the campaignId parameter.

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6155

SQL injection vulnerability in index.php in Hispah Text Links Ads 1.1 allows remote attackers to execute arbitrary SQL commands via the idtl parameter in a buy action. NOTE: the provenance of this i…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6154

SQL injection vulnerability in index.php in Hispah Text Links Ads 1.1 allows remote attackers to execute arbitrary SQL commands via the idcat parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0598

SQL injection vulnerability in index.php in PhpMesFilms 1.0 and 1.8 allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2009-0597

SQL injection vulnerability in admin/index.php in w3b>cms (aka w3blabor CMS) before 3.4.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the benutze…

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2009-0596

Directory traversal vulnerability in skysilver/login.tpl.php in phpSkelSite 1.4, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory t…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2009-0595

PHP remote file inclusion vulnerability in skysilver/login.tpl.php in phpSkelSite 1.4, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary…

CVSS: 5.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2009-0594

Cross-site scripting (XSS) vulnerability in index.php in phpSkelSite 1.4 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2009-0593

SQL injection vulnerability in members.php in plx Auto Reminder 3.7 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a newar action.

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0592

Multiple directory traversal vulnerabilities in PNphpBB2 1.2i and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ModName parameter to (1) admin_…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2008-6149

SQL injection vulnerability in the mDigg (com_mdigg) component 2.2.8 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cagtegory parameter in a story_lists action to index…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6148

SQL injection vulnerability in the Live Ticker (com_liveticker) module 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the tid parameter in a viewticker action to index.…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6146

SQL injection vulnerability in pm.php in DeluxeBB 1.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a delete##### parameter in a Delete…

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6142

Multiple SQL injection vulnerabilities in admin/usercheck.php in FlexPHPic 0.0.4 and FlexPHPic Pro 0.0.3, and other 0.0.x versions, allow remote attackers to execute arbitrary SQL commands via (1) th…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2009-02-14
Medium

CVE-2008-6139

Directory traversal vulnerability in faqsupport/wce.download.php in WebBiscuits Modules Controller 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the download parameter.

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2008-6138

PHP remote file inclusion vulnerability in adminhead.php in WebBiscuits Modules Controller 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path[docroot] paramet…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2009-02-13
High

CVE-2008-6133

SQL injection vulnerability in arsaprint.php in Full PHP Emlak Script allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3942.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6132

Eval injection vulnerability in reserve.php in phpScheduleIt 1.2.10 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via the start_date parameter.

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2008-6130

Cross-site scripting (XSS) vulnerability in index.php in moziloWiki 1.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) action and (2) page parameters.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-6129

Directory traversal vulnerability in print.php in moziloWiki 1.0.1 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter.

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2008-6127

Multiple cross-site scripting (XSS) vulnerabilities in moziloCMS 1.10.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) page and (2) query parameters to (a) inde…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-6126

Multiple directory traversal vulnerabilities in moziloCMS 1.10.2 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) file parameter to download.php and the (2) pa…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2009-0574

SQL injection vulnerability in index.php in Easy CafeEngine allows remote attackers to execute arbitrary SQL commands via the catid parameter, a different vector than CVE-2008-4604.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2009-0572

PHP remote file inclusion vulnerability in include/flatnux.php in FlatnuX CMS (aka Flatnuke3) 2009-01-27 and 2009-02-04, when register_globals is enabled and magic_quotes_gpc disabled, allows remote…

CVSS: 5.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2009-0571

admin.php in Ninja Designs Mailist 3.0 stores backup copies of maillist.php under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a di…

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2009-0570

Directory traversal vulnerability in send.php in Ninja Designs Mailist 3.0, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary…

CVSS: 5.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2008-6124

SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 all…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2009-02-11
High

CVE-2009-0535

Directory traversal vulnerability in export.php in Thyme 1.3 and earlier, when register_globals is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the export_to parame…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2009-0533

Cross-site scripting (XSS) vulnerability in password.php in Scripts for Sites EZ Reminder allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving th…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2009-0532

Cross-site scripting (XSS) vulnerability in password.php in Scripts For Sites (SFS) EZ Baby allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2009-0530

Multiple PHP remote file inclusion vulnerabilities in SnippetMaster 2.2.2, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SCRIPT_…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2009-0529

Cross-site scripting (XSS) vulnerability in index.php in SnippetMaster Webpage Editor 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the language parameter.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2009-0528

SQL injection vulnerability in frame.php in Rhadrix If-CMS 2.07 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2009-0527

PHP remote file inclusion vulnerability in plugins/rss_importer_functions.php in AdaptCMS Lite 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the sitepath parameter.

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2009-0526

Multiple cross-site scripting (XSS) vulnerabilities in index.php in AdaptCMS Lite 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) url and (2) acuparam parameters, and (3…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2009-0525

Cross-site scripting (XSS) vulnerability in the sajax_get_common_js function in php/Sajax.php in Sajax 0.12 allows remote attackers to inject arbitrary web script or HTML via the URL parameter, which…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2008-6120

SQL injection vulnerability in profile_comments.php in SocialEngine (SE) 2.7 and earlier allows remote attackers to execute arbitrary SQL commands via the comment_secure parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6119

Static code injection vulnerability in gooplecms/admin/account/action/editpass.php in Goople CMS 1.7 allows remote attackers to inject arbitrary PHP code into admin/userandpass.php via the (1) userna…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2008-6118

win/content/upload.php in Goople CMS 1.7 allows remote attackers to bypass authentication and gain administrative access by setting the loggedin cookie to 1.

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2008-6117

SQL injection vulnerability in homepage.php in PG Job Site Pro allows remote attackers to execute arbitrary SQL commands via the poll_view_id parameter in a results action.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6116

SQL injection vulnerability in the EXtrovert Software Thyme (com_thyme) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the event parameter to index.php.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6115

SQL injection vulnerability in directory.php in Prozilla Hosting Index allows remote attackers to execute arbitrary SQL commands via the id parameter in a deadlink action, a different vector than CVE…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6114

SQL injection vulnerability in product_details.php in the Mytipper Zogo-shop 1.15.4 plugin for e107 allows remote attackers to execute arbitrary SQL commands via the product parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6112

Multiple directory traversal vulnerabilities in Ez Ringtone Manager allow remote attackers to read arbitrary files via a .. (dot dot) in the id parameter in a detail action to (1) main.php and (2) te…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2008-6111

SQL injection vulnerability in blog.php in NetArt Media Vlog System 1.1 allows remote attackers to execute arbitrary SQL commands via the note parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2008-6110

Unspecified vulnerability in SemanticScuttle before 0.90 has unknown impact and attack vectors related to improper validation of parameters to profile.php.

CVSS: 10.0 CWE: N/A View on NVD
Critical

CVE-2009-0517

Eval injection vulnerability in index.php in phpSlash 0.8.1.1 and earlier allows remote attackers to execute arbitrary PHP code via the fields parameter, which is supplied to an eval function call wi…

CVSS: 10.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2009-0516

SQL injection vulnerability in the classified page (classified.php) in BusinessSpace 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2009-0515

Directory traversal vulnerability in check_lang.php in Yet Another NOCC (YANOCC) 0.1.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2009-0514

Multiple directory traversal vulnerabilities in WebFrame 0.76 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) currentmod and (2) LANG…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2009-0513

Multiple PHP remote file inclusion vulnerabilities in WebFrame 0.76 allow remote attackers to execute arbitrary PHP code via a URL in the classFiles parameter to (1) admin/doc/index.php, (2) index.ph…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Low

CVE-2009-0455

Cross-site scripting (XSS) vulnerability in the anonymous comments feature in lib-comment.php in glFusion 1.1.0, 1.1.1, and earlier versions allows remote attackers to inject arbitrary web script or…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2009-02-10
Medium

CVE-2008-6108

Cross-site scripting (XSS) vulnerability in result.php in Galatolo WebManager (GWM) 1.0 allows remote attackers to inject arbitrary web script or HTML via the key parameter.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2008-6104

SQL injection vulnerability in A4Desk PHP Event Calendar allows remote attackers to execute arbitrary SQL commands via the eventid parameter to admin/index.php.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6103

PHP remote file inclusion vulnerability in index.php in A4Desk Event Calendar, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the v parameter.

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2008-6102

SQL injection vulnerability in ratelink.php in Link Trader Script allows remote attackers to execute arbitrary SQL commands via the lnkid parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6101

SQL injection vulnerability in click.php in Adult Banner Exchange Website allows remote attackers to execute arbitrary SQL commands via the targetid parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6100

Multiple SQL injection vulnerabilities in Discussion Forums 2k 3.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) CatID parameter to (a) RSS1…

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6099

PHP remote file inclusion vulnerability in index.php in RPortal 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the file_op parameter.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2009-0464

PHP remote file inclusion vulnerability in includes/header.php in Groone GBook 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.

CVSS: 5.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2009-0463

PHP remote file inclusion vulnerability in includes/header.php in Groone GLinks 2.1 allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2009-0459

Multiple SQL injection vulnerabilities in admin/login_submit.php in Whole Hog Password Protect: Enhanced 1.x allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter (aka Us…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0458

Multiple SQL injection vulnerabilities in admin/login_submit.php in Whole Hog Ware Support 1.x allow remote attackers to execute arbitrary SQL commands via (1) the uid parameter (aka Username field)…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0457

Multiple directory traversal vulnerabilities in AJA Portal 1.2 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the currentlang parameter to ad…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2009-0456

PHP remote file inclusion vulnerability in examples/example_clientside_javascript.php in patForms, as used in Sourdough 0.3.5, allows remote attackers to execute arbitrary PHP code via a URL in the n…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2009-0453

Online Grades 3.2.4 allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function.

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2009-0452

Multiple SQL injection vulnerabilities in parents/login.php in Online Grades 3.2.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) uname or (2…

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0448

Directory traversal vulnerability in admin/modules/aa/preview.php in Syntax Desktop 2.7 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the synTarget parame…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2009-0446

SQL injection vulnerability in photo.php in WEBalbum 2.4b allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0445

SQL injection vulnerability in index.php in Dreampics Gallery Builder allows remote attackers to execute arbitrary SQL commands via the exhibition_id parameter in a gallery.viewPhotos action.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0444

Multiple PHP remote file inclusion vulnerabilities in GRBoard 1.8, when register_globals is enabled and magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary PHP code via a URL in…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2009-0442

Directory traversal vulnerability in bbcode.php in PHPbbBook 1.3 and 1.3h allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the l parameter.

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2009-0441

PHP remote file inclusion vulnerability in skin_shop/standard/2_view_body/body_default.php in TECHNOTE 7.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2008-6069

SQL injection vulnerability in e107chat.php in the eChat plugin 4.2 for e107, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the nick parameter.

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6068

SQL injection vulnerability in the JoomlaDate (com_joomladate) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the user parameter in a viewProfile action to in…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2009-0502

Cross-site scripting (XSS) vulnerability in blocks/html/block_html.php in Snoopy 1.2.3, as used in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4, allows remote att…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2009-0500

Cross-site scripting (XSS) vulnerability in course/lib.php in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4 allows remote attackers to inject arbitrary web script…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2009-0499

Cross-site request forgery (CSRF) vulnerability in the forum code in Moodle 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4 allows remote attackers to delete unauthorized forum posts via a l…

CVSS: 6.4 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2009-0495

PHP remote file inclusion vulnerability in include/define.php in REALTOR 747 4.11 allows remote attackers to execute arbitrary PHP code via a URL in the INC_DIR parameter.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2009-0494

SQL injection vulnerability in the Portfol (com_portfol) 1.2 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the vcatid parameter in a viewcategory action to index…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0493

SQL injection vulnerability in login.php in IT!CMS 2.1a and earlier allows remote attackers to execute arbitrary SQL commands via the Username.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2009-02-09
Medium

CVE-2008-6097

Multiple cross-site scripting (XSS) vulnerabilities in WikyBlog before 1.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) key parameter to index.php/Special/Main/keywordS…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-6093

SQL injection vulnerability in index.php in Noname CMS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the (1) file_id parameter in a detailansic…

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6091

SQL injection vulnerability in plugins.php in BMForum 5.6, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the tagname parameter.

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0479

Multiple SQL injection vulnerabilities in admin/admin_login.php in Online Grades 3.2.4 allow remote attackers to execute arbitrary SQL commands via the (1) uname or (2) pword parameter. NOTE: the pr…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2009-02-06
Medium

CVE-2008-6090

Directory traversal vulnerability in members.php in ScriptsEz Mini Hosting Panel allows remote attackers to read arbitrary local files via a .. (dot dot) in the dir parameter in a view action.

CVSS: 4.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2008-6089

Directory traversal vulnerability in main.php in ScriptsEz Easy Image Downloader allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter in a download action.

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2008-6088

SQL injection vulnerability in the Joomtracker (com_joomtracker) 1.01 module for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a tordetails action to index…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6087

Cross-site scripting (XSS) vulnerability in topic.php in Camera Life 2.6.2b4 allows remote attackers to inject arbitrary web script or HTML via the name parameter.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2008-6086

SQL injection vulnerability in album.php in Camera Life 2.6.2b4 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2008-3355.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6084

Unrestricted file upload vulnerability in pages/download.php in Iamma Simple Gallery 1.0 and 2.0 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2008-6083

Directory traversal vulnerability in header.php in TXTshop beta 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2008-6081

SQL injection vulnerability in contact.php in Simple Customer 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6080

Directory traversal vulnerability in download.php in the ionFiles (com_ionfiles) 4.4.2 component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2008-6078

SQL injection vulnerability in open.php in the Private Messaging (com_privmsg) component for Limbo CMS allows remote attackers to execute arbitrary SQL commands via the id parameter in a pms action t…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6077

SQL injection vulnerability in loudblog/ajax.php in LoudBlog 0.8.0a and earlier allows remote authenticated users to execute arbitrary SQL commands via the colpick parameter in a singleread action.

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6076

SQL injection vulnerability in the Daily Message (com_dailymessage) 1.0.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-6074

Directory traversal vulnerability in frame.php in phpcrs 2.06 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) i…

CVSS: 5.1 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2009-02-05
High

CVE-2008-6066

Multiple PHP remote file inclusion vulnerabilities in Meet#Web 0.8 allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) modules.php, (2) ManagerResource.cl…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2008-6064

Multiple SQL injection vulnerabilities in DomPHP 0.81 allow remote attackers to execute arbitrary SQL commands via the cat parameter to agenda/index.php, and unspecified other vectors.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0429

Multiple SQL injection vulnerabilities in Active Bids allow remote attackers to execute arbitrary SQL commands via the (1) search parameter to search.asp, (2) SortDir parameter to auctionsended.asp,…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0425

SQL injection vulnerability in index.php in Blue Eye CMS 1.0.0 and earlier allows remote attackers to execute arbitrary SQL commands via the clanek parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2009-0424

Cross-site scripting (XSS) vulnerability in sign1.php in AN Guestbook (ANG) before 0.7.7 allows remote attackers to inject arbitrary web script or HTML via the country parameter, which is not properl…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2009-0423

Directory traversal vulnerability in index.php in Php Photo Album (PHPPA) 0.8 BETA allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the preview parameter.

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2009-0422

Dynamic variable evaluation vulnerability in lists/admin.php in phpList 2.10.8 and earlier, when register_globals is disabled, allows remote attackers to include and execute arbitrary local files via…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2009-0421

SQL injection vulnerability in the Eventing (com_eventing) 1.6.x component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0420

SQL injection vulnerability in the RD-Autos (com_rdautos) 1.5.5 Stable component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2009-02-04
High

CVE-2008-6050

SQL injection vulnerability in the Tech Articles (com_tech_article) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the item parameter to index.php.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-6046

SQL injection vulnerability in ADbNewsSender before 1.5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors in (1) opt_in_out.php.inc, (2) confirmation.php.inc, and (3…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2009-02-03
High

CVE-2009-0412

The ProcessLogin function in class.auth.php in Interspire Shopping Cart (ISC) 4.0.1 Ultimate edition allows remote attackers to bypass authentication and obtain administrative access by reusing the R…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0409

SQL injection vulnerability in offline_auth.php in Max.Blog 1.0.6 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0407

SQL injection vulnerability in admin/login.php in PHP-CMS Project 1 allows remote attackers to execute arbitrary SQL commands via the username parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0406

SQL injection vulnerability in index.php in Community CMS 0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0405

SQL injection vulnerability in articles.php in smartSite CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the var parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2009-0403

SQL injection vulnerability in admin/authenticate.php in Chipmunk Blogger Script allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD