High
CVE-2007-6004
Multiple SQL injection vulnerabilities in index.php in Toko Instan 7.6 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in an artikel action or (2) the katid paramete…
Tag: PHP
All CVEs associated with "PHP". Page 255/312 • 37334 CVEs.
Subscribe CVEs: RSS for “PHP” · RSS (High+Critical only)
About “PHP”
A curated feed of “PHP”-related CVEs appears below. We currently track 37334 CVEs for this tag (all time). In the last 365 days, 6058 were published. Average CVSS is 6.7 (all time; 6.9 over 365d), and 50% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').
In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2007-11-15
High
CVE-2007-5973
SQL injection vulnerability in articles.php in JPortal 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the topic parameter.
High
CVE-2007-5974
SQL injection vulnerability in mailer.php in JPortal 2 allows remote attackers to execute arbitrary SQL commands via the to parameter.
Medium
CVE-2007-5975
SQL injection vulnerability in index.php in TBSource, as used in (1) TBDev and (2) TorrentStrike 0.4, allows remote authenticated users to execute arbitrary SQL commands via the choice parameter. NO…
Medium
CVE-2007-5976
SQL injection vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to execute arbitrary SQL commands via the db parameter.
Low
CVE-2007-5977
Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a…
High
CVE-2007-5978
SQL injection vulnerability in brokenlink.php in the mylinks module for XOOPS allows remote attackers to execute arbitrary SQL commands via the lid parameter.
Medium
CVE-2007-5980
Cross-site scripting (XSS) vulnerability in home/rss.php in eggblog before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).
Medium
CVE-2007-5982
Multiple cross-site scripting (XSS) vulnerabilities in X7 Chat 2.0.4, 2.0.5, and possibly other versions allow remote attackers to inject arbitrary web script or HTML via the (1) room parameter to so…
Medium
CVE-2007-5983
Cross-site scripting (XSS) vulnerability in index.php in Justin Hagstrom AutoIndex PHP Script before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).
High
CVE-2007-5984
classes/Url.php in Justin Hagstrom AutoIndex PHP Script before 2.2.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via a %00 sequence in the dir parameter to index…
Medium
CVE-2007-5985
Multiple cross-site scripting (XSS) vulnerabilities in BtiTracker before 1.4.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) account.php, (2) moresmiles…
High
CVE-2007-5986
SQL injection vulnerability in include/functions.php in BtiTracker before 1.4.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Medium
CVE-2007-5987
details.php in BtiTracker before 1.4.5, when torrent viewing is disabled for guests, allows remote attackers to bypass protection mechanisms via a direct request, as demonstrated by (1) reading the d…
High
CVE-2007-5988
blocks/shoutbox_block.php in BtiTracker 1.4.4 does not verify user accounts, which allows remote attackers to post shoutbox entries as arbitrary users via a modified nick field.
2007-11-14
Medium
CVE-2007-3694
Cross-site scripting (XSS) vulnerability in login.php in Miro Project Broadcast Machine 0.9.9.9 allows remote attackers to inject arbitrary web script or HTML via the username parameter.
Medium
CVE-2007-5955
Cross-site scripting (XSS) vulnerability in updir.php in UPDIR.NET before 2.04 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Medium
CVE-2007-5942
Bandersnatch 0.4 allows remote attackers to obtain sensitive information via a malformed request for index.php with (1) a certain func parameter value; or (2) certain func, jid, page, and limit param…
Medium
CVE-2007-5948
Multiple cross-site scripting (XSS) vulnerabilities in main.php in SF-Shoutbox 1.2.1 through 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) nick (aka Name) and (2) shou…
High
CVE-2007-5951
SQL injection vulnerability in articles.php in E-Vendejo 0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Medium
CVE-2007-5952
Cross-site scripting (XSS) vulnerability in admin/index.php in Helios Calendar 1.2.1 Beta allows remote attackers to inject arbitrary web script or HTML via the username parameter. NOTE: the provena…
Medium
CVE-2007-5954
Cross-site scripting (XSS) vulnerability in buscador.php in JLMForo System allows remote attackers to inject arbitrary web script or HTML via the clave parameter. NOTE: the provenance of this inform…
2007-11-10
Medium
CVE-2007-5931
The reDirect function in lib/controllers/RepViewController.php in OrangeHRM before 2.2.2 does not verify the privileges of a user, which allows remote attackers to obtain access to data via unspecifi…
High
CVE-2007-5912
SQL injection vulnerability in mailer.php in jPORTAL 2 allows remote attackers to execute arbitrary SQL commands via the to parameter.
Medium
CVE-2007-5913
dirsys/modules/auth.php in JBC Explorer 7.20 RC1 and earlier does not require authentication, which allows remote attackers to (1) delete auth.inc.php via the suppr parameter, and (2) re-create the a…
Medium
CVE-2007-5914
Direct static code injection vulnerability in dirsys/modules/config/post.php in JBC Explorer 7.20 RC1 and earlier allows remote authenticated administrators to inject arbitrary PHP code via the DEBUG…
Medium
CVE-2007-5915
Directory traversal vulnerability in index.php in phphelpdesk 0.6.16 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the whattodo parameter.
Medium
CVE-2007-5917
Cross-site request forgery (CSRF) vulnerability in admin/admin_account.php in Skalinks 1.5 and earlier allows remote attackers to add arbitrary privileged accounts as administrators via the admin_nam…
Medium
CVE-2007-5918
Cross-site request forgery (CSRF) vulnerability in edit.php in the MS TopSites add-on for PHP-Nuke does not verify that the uname parameter matches the current account, which allows remote authentica…
Medium
CVE-2007-5920
index.php in Domenico Mancini PicoFlat CMS before 0.4.18 allows remote attackers to include certain files via unspecified vectors, possibly due to a directory traversal vulnerability. NOTE: this can…
2007-11-08
Critical
CVE-2007-5889
Multiple PHP remote file inclusion vulnerabilities in IDMOS 1.0 Alpha (aka Phoenix) allow remote attackers to execute arbitrary PHP code via a URL in the site_absolute_path parameter to (1) admin.php…
Critical
CVE-2007-5890
Directory traversal vulnerability in index.php in easyGB 2.1.1 allows remote attackers to include arbitrary files via the DatabaseType parameter. NOTE: the provenance of this information is unknown;…
2007-11-07
Medium
CVE-2007-5888
Cross-site scripting (XSS) vulnerability in displayecard.php in Coppermine Photo Gallery (CPG) before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the data parameter.
2007-11-06
Medium
CVE-2007-5840
PHP remote file inclusion vulnerability in starnet/themes/c-sky/main.inc.php in Fred Stuurman SyndeoCMS 2.5.01 allows remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter,…
Medium
CVE-2007-5841
PHP remote file inclusion vulnerability in admin/index.php in nuBoard 0.5 allows remote attackers to execute arbitrary PHP code via a URL in the site parameter.
Medium
CVE-2007-5842
Multiple PHP remote file inclusion vulnerabilities in Vortex Portal 1.0.42 allow remote attackers to execute arbitrary PHP code via a URL in the cfgProgDir parameter to (1) admincp/auth/secure.php or…
Medium
CVE-2007-5843
PHP remote file inclusion vulnerability in includes/common.php in scWiki 1.0 Beta 2 allows remote attackers to execute arbitrary PHP code via a URL in the pathdot parameter.
High
CVE-2007-5844
Directory traversal vulnerability in inc/includes.inc in GuppY 4.6.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the selskin parameter to index.php. NO…
High
CVE-2007-5845
Directory traversal vulnerability in error.php in GuppY 4.6.3, 4.5.16, and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the id parameter. NOTE:…
2007-11-05
Critical
CVE-2007-5820
Directory traversal vulnerability in index.php in Ax Developer CMS (AxDCMS) 0.1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter.
Medium
CVE-2007-5821
Multiple directory traversal vulnerabilities in DM Guestbook 0.4.1 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lng parameter to (a) g…
High
CVE-2007-5822
Direct static code injection vulnerability in forum.php in Ben Ng Scribe 0.2 and earlier allows remote attackers to inject arbitrary PHP code into a certain file in regged/ via the username parameter…
High
CVE-2007-5823
Directory traversal vulnerability in forum.php in Ben Ng Scribe 0.2 and earlier allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the username parameter in a Regist…
Medium
CVE-2007-5835
Install.php in BosDev BosNews 4 and 5 does not require authentication for replacing an existing product installation or creating a new admin account, which allows remote attackers to cause a denial o…
Medium
CVE-2007-5816
dialog.php in CONTENTCustomizer 3.1mp and earlier allows remote attackers to obtain sensitive author credentials by making a request with an editauthor action, then reading the value of the newlocalp…
Medium
CVE-2007-5817
dialog.php in CONTENTCustomizer 3.1mp and earlier allows remote attackers to perform certain privileged actions via a (1) del, (2) delbackup, (3) res, or (4) ren action. NOTE: this issue can be leve…
High
CVE-2007-5818
Cross-site request forgery (CSRF) vulnerability in blocks_edit_do.php in sBlog 0.7.3 Beta allows remote attackers to change arbitrary blocks as administrators.
Medium
CVE-2007-5806
Cross-site scripting (XSS) vulnerability in Services/Utilities/classes/class.ilUtil.php in ILIAS 3.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via attributes inside…
Medium
CVE-2007-5811
Directory traversal vulnerability in PageTraiteDownload.php in phpMyConferences 8.0.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter. NOTE: this…
Medium
CVE-2007-5812
Directory traversal vulnerability in modules/Builder/DownloadModule.php in ModuleBuilder 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
Medium
CVE-2007-5813
Multiple directory traversal vulnerabilities in download.php in ISPworker 1.21 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ticketid and (2) filename parameters.
2007-11-03
Medium
CVE-2007-5800
Multiple PHP remote file inclusion vulnerabilities in the BackUpWordPress 0.4.2b and earlier plugin for WordPress allow remote attackers to execute arbitrary PHP code via a URL in the bkpwp_plugin_pa…
High
CVE-2007-5802
Directory traversal vulnerability in index.php in Firewolf Technologies Synergiser 1.2 RC1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the p…
2007-11-01
Medium
CVE-2007-5772
Direct static code injection vulnerability in the download module in Flatnuke 3 allows remote authenticated administrators to inject arbitrary PHP code into a description.it.php file in a subdirector…
Medium
CVE-2007-5773
Cross-site request forgery (CSRF) vulnerability in index.php in the File Manager module in Flatnuke 3 allows remote attackers to perform certain actions as administrators via requests containing the…
Medium
CVE-2007-5774
index.php in the File Manager module in Flatnuke 3 allows remote attackers to obtain sensitive information via an invalid argumentname parameter in a disc op action, which reveals the path in an erro…
Medium
CVE-2007-5780
PHP remote file inclusion vulnerability in pub/pub08_comments.php in teatro 1.6 allows remote attackers to execute arbitrary PHP code via a URL in the basePath parameter.
Medium
CVE-2007-5781
PHP remote file inclusion vulnerability in inc/sige_init.php in Sige 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the SYS_PATH parameter.
Medium
CVE-2007-5782
Directory traversal vulnerability in dl.php in FireConfig 0.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
Medium
CVE-2007-5784
PHP remote file inclusion vulnerability in index.php in CaupoShop Pro 2.x allows remote attackers to execute arbitrary PHP code via a URL in the action parameter.
High
CVE-2007-5785
SQL injection vulnerability in file.php in JobSite Professional 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
High
CVE-2007-5786
Multiple PHP remote file inclusion vulnerabilities in GoSamba 1.0.1 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) HTML_oben.php, (2) inc_freigabe…
2007-10-31
High
CVE-2007-5752
adduser.php in PHP-AGTC Membership (AGTC-Membership) System 1.1a does not require authentication, which allows remote attackers to create accounts via a modified form, as demonstrated by an account w…
High
CVE-2007-5753
Unspecified vulnerability in Light FMan PHP (lfman or lightfman) before 2.0rc1 has unknown impact and attack vectors related to "actions."
Medium
CVE-2007-5754
PHP remote file inclusion vulnerability in urlinn_includes/config.php in phpFaber URLInn 2.0.5 allows remote attackers to execute arbitrary PHP code via a URL in the dir_ws parameter.
2007-10-30
Medium
CVE-2007-5732
Directory traversal vulnerability in downloadfile.php in eLouai's Force Download of media files script, as available on 20071030 and earlier, allows remote attackers to read arbitrary files via the f…
High
CVE-2007-5733
Unrestricted file upload vulnerability in upload/upload.php in Japanese PHP Gallery Hosting, when Open directory mode is enabled, allows remote attackers to upload and execute arbitrary PHP code via…
Medium
CVE-2007-5736
Unrestricted file upload vulnerability in upload.php in SeeBlick 1.0 Beta allows remote attackers to upload arbitrary files via unspecified vectors. NOTE: these files are stored with .html extension…
Medium
CVE-2007-4861
SAXON 5.4, with display_errors enabled, allows remote attackers to obtain sensitive information via (1) a direct request for news.php, (2) an invalid use of a newsid array parameter to admin/edit-ite…
Medium
CVE-2007-4862
Cross-site scripting (XSS) vulnerability in admin/menu.php in SAXON 5.4 allows remote attackers to inject arbitrary web script or HTML via the config[news_url] parameter.
Medium
CVE-2007-4863
SQL injection vulnerability in example.php in SAXON 5.4 allows remote attackers to execute arbitrary SQL commands via the template parameter.
High
CVE-2007-5719
SQL injection vulnerability in bb_func_search.php in miniBB 2.1 allows remote attackers to execute arbitrary SQL commands via the table parameter to index.php.
Medium
CVE-2007-5720
Unrestricted file upload vulnerability in the profiles script in ProfileCMS 1.0 allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors involving creation of a profil…
Medium
CVE-2007-5721
PHP remote file inclusion vulnerability in _theme/breadcrumb.php in MySpacePros MySpace Resource Script (MSRS) 1.21 allows remote attackers to execute arbitrary PHP code via a URL in the rootBase par…
Medium
CVE-2007-5724
Multiple cross-site scripting (XSS) vulnerabilities in Omnistar Live allow remote attackers to inject arbitrary web script or HTML via (1) the category_id parameter to users/kb.php, and possibly (3)…
Medium
CVE-2007-5725
Multiple cross-site scripting (XSS) vulnerabilities in Smart-Shop allow remote attackers to inject arbitrary web script or HTML via (1) the email parameter to index.php; or the command parameter to i…
Medium
CVE-2007-5727
Incomplete blacklist vulnerability in the stripScripts function in common.php in OneOrZero Helpdesk 1.6.5.4, 1.6.4.2, and possibly other versions, allows remote attackers to conduct cross-site script…
Medium
CVE-2007-5728
Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and possibly 4.1.2, allows remote attackers to inject arbitrary web script or HTML via certain input available in PHP_SELF in (1)…
Low
CVE-2007-5710
Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter.
2007-10-29
Medium
CVE-2007-5705
Unspecified vulnerability in the Settings component in the administration system in Jeebles Directory 2.9.60 allows remote authenticated administrators to execute arbitrary PHP code via unspecified v…
Critical
CVE-2007-5706
Absolute path traversal vulnerability in download.php in Jeebles Directory 2.9.60 allows remote attackers to read arbitrary files via a full pathname in the query string. NOTE: some of these details…
Medium
CVE-2007-5697
Multiple PHP remote file inclusion vulnerabilities in PHP Image 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the xarg parameter to (1) xarg_corner.php, (2) xarg_corner_bottom…
Medium
CVE-2007-5692
Multiple cross-site scripting (XSS) vulnerabilities in SiteBar 3.3.8 allow remote attackers to inject arbitrary web script or HTML via (1) the lang parameter to integrator.php; (2) the token paramete…
Medium
CVE-2007-5693
Eval injection vulnerability in the translation module (translator.php) in SiteBar 3.3.8 allows remote authenticated users to execute arbitrary PHP code via the edit parameter in an upd cmd action, a…
Medium
CVE-2007-5694
Absolute path traversal vulnerability in the translation module (translator.php) in SiteBar 3.3.8 allows remote authenticated users to read arbitrary files via an absolute path in the dir parameter,…
Medium
CVE-2007-5695
Open redirect vulnerability in command.php in SiteBar 3.3.8 allows remote attackers to redirect users to arbitrary web sites via a URL in the forward parameter in a Log In action.
Medium
CVE-2007-5696
PHP remote file inclusion vulnerability in includes.php in phpBasic allows remote attackers to execute arbitrary PHP code via a URL in the root parameter, possibly related to the Music module.
High
CVE-2007-5688
Multiple SQL injection vulnerabilities in directory.php in the Multi-Forums (aka Multi Host Forum Pro) module 1.3.3, for phpBB and Invision Power Board (IPB or IP.Board), allow remote attackers to ex…
2007-10-26
High
CVE-2007-5682
Incomplete blacklist vulnerability in tiki-graph_formula.php in TikiWiki before 1.9.8.2 allows remote attackers to execute arbitrary code by using variable functions and variable variables to write v…
Medium
CVE-2007-5683
Multiple cross-site scripting (XSS) vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the username parameter to the password remind…
High
CVE-2007-5684
Multiple directory traversal vulnerabilities in TikiWiki 1.9.8.1 and earlier allow remote attackers to include and execute arbitrary files via an absolute pathname in (1) error_handler_file and (2) l…
2007-10-25
High
CVE-2007-5679
SQL injection vulnerability in index.php in DeeEmm.com DM CMS 0.7.0.Beta allows remote attackers to execute arbitrary SQL commands via the id parameter in the media page (build_media_content.php). NO…
2007-10-24
Medium
CVE-2007-5674
Directory traversal vulnerability in index.php in InstaGuide Weather (aka Weather for PHP) 1.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files…
Medium
CVE-2007-5676
PHP remote file inclusion vulnerability in modules/Forums/favorites.php in PHP-Nuke Platinum 7.6.b.5 allows remote attackers to execute arbitrary PHP code via a URL in the nuke_bb_root_path parameter.
Medium
CVE-2007-5677
Cross-site scripting (XSS) vulnerability in shoutbox/blocco.php in Hackish BETA 1.1 allows remote attackers to inject arbitrary web script or HTML via the go_shout parameter.
2007-10-23
Medium
CVE-2007-5641
Multiple PHP remote file inclusion vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the full_path parameter to (1) certin…
Medium
CVE-2007-5642
Multiple directory traversal vulnerabilities in PHP Project Management 0.8.10 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the def_lang pa…
High
CVE-2007-5643
Multiple SQL injection vulnerabilities in Lussumo Vanilla 1.1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the CategoryID parameter to ajax/sortcategories.php or (2)…
High
CVE-2007-5644
Lussumo Vanilla 1.1.3 and earlier does not require admin privileges for (1) ajax/sortcategories.php and (2) ajax/sortroles.php, which allows remote attackers to conduct unauthorized sort operations a…
Medium
CVE-2007-5646
SQL injection vulnerability in Sources/Search.php in Simple Machines Forum (SMF) 1.1.3, when MySQL 5 is used, allows remote attackers to execute arbitrary SQL commands via the userspec parameter in a…
Medium
CVE-2007-5648
Multiple cross-site scripting (XSS) vulnerabilities in rnote.php in rNote 0.9.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) d or the (2) u parameter.
Medium
CVE-2007-5649
Cross-site scripting (XSS) vulnerability in lostpwd.php in Creative Digital Resources SocketMail 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the lost_id parameter.
High
CVE-2007-5650
Directory traversal vulnerability in system.php in ReloadCMS 1.2.7 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter to index.php.
Critical
CVE-2007-5653
The Component Object Model (COM) functions in PHP 5.x on Windows do not follow safe_mode and disable_functions restrictions, which allows context-dependent attackers to bypass intended limitations, a…
Medium
CVE-2007-5654
LiteSpeed Web Server before 3.2.4 allows remote attackers to trigger use of an arbitrary MIME type for a file via a "%00." sequence followed by a new extension, as demonstrated by reading PHP source…
High
CVE-2007-5630
SQL injection vulnerability in tnews.php in BBsProcesS BBPortalS 1.5.10 through 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a tnews action.
Medium
CVE-2007-5631
Multiple PHP remote file inclusion vulnerabilities in PeopleAggregator 1.2pre6, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the current_blockmo…
Medium
CVE-2007-5627
PHP remote file inclusion vulnerability in content/fnc-readmail3.php in SocketMail 2.2.8 allows remote attackers to execute arbitrary PHP code via a URL in the __SOCKETMAIL_ROOT parameter.
Medium
CVE-2007-5628
PHP remote file inclusion vulnerability in src/scripture.php in The Online Web Library Site (TOWels) 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the pageHeaderFile paramete…
2007-10-22
Medium
CVE-2007-5190
Multiple cross-site scripting (XSS) vulnerabilities in Alcatel OmniVista 4760 R4.2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the action parameter to php-bin/We…
High
CVE-2007-5620
Directory traversal vulnerability in admin/inc/help.php in ZZ:FlashChat 3.1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter.
2007-10-19
Medium
CVE-2007-5589
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) serv…
Medium
CVE-2007-5592
Multiple PHP remote file inclusion vulnerabilities in awzMB 4.2 beta 1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the Setting[OPT_includepath] parameter to (1) admi…
Medium
CVE-2007-5593
install.php in Drupal 5.x before 5.3, when the configured database server is not reachable, allows remote attackers to execute arbitrary code via vectors that cause settings.php to be modified.
Medium
CVE-2007-5599
Multiple PHP remote file inclusion vulnerabilities in awrate 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the toroot parameter to (1) 404.php or (2) topbar.php, different vec…
Medium
CVE-2007-5600
Incomplete blacklist vulnerability in index.php in Artmedic CMS 3.4 and earlier allows remote attackers to execute arbitrary PHP code via a (1) UNC share pathname, or a (2) ftps, (3) ssh2.sftp, or (4…
2007-10-18
High
CVE-2007-5578
Basic Analysis and Security Engine (BASE) before 1.3.8 sends a redirect to the web browser but does not exit, which allows remote attackers to bypass authentication via (1) base_main.php, (2) base_qr…
High
CVE-2007-5579
login.php in Pligg CMS 9.5 uses a guessable confirmation code when resetting a forgotten password, which allows remote attackers with knowledge of a username to reset that user's password by calculat…
Critical
CVE-2007-5565
PHP remote file inclusion vulnerability in includes/functions.php in phpSCMS 0.0.1-Alpha1 allows remote attackers to execute arbitrary PHP code via a URL in the dir parameter. NOTE: this issue is di…
High
CVE-2007-5566
Multiple PHP remote file inclusion vulnerabilities in PHPBlog 0.1 Alpha allow remote attackers to execute arbitrary PHP code via a URL in the blog_localpath parameter to (1) includes/functions.php or…