CVE Daily
← All tags

Tag: PHP

All CVEs associated with "PHP". Page 293/311 • 37316 CVEs.

Subscribe CVEs: RSS for “PHP”  ·  RSS (High+Critical only)

About “PHP”

A curated feed of “PHP”-related CVEs appears below. We currently track 37316 CVEs for this tag (all time). In the last 365 days, 6066 were published. Average CVSS is 6.7 (all time; 6.9 over 365d), and 50% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2006-02-25
Medium

CVE-2006-0885

Cross-site scripting (XSS) vulnerability in show_news.php in CuteNews 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the show parameter.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0886

Cross-site scripting (XSS) vulnerability in register.php in DEV web management system 1.5 allows remote attackers to inject arbitrary web script or HTML via the "City/Region" field (mesto variable).…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2006-0887

Eval injection vulnerability in sessions.inc in PHP Base Library (PHPLib) before 7.4a, when index.php3 from the PHPLib distribution is available on the server, allows remote attackers to execute arbi…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Low

CVE-2006-0888

index.php in Invision Power Board (IPB) 2.0.1, with Code Confirmation disabled, allows remote attackers to cause an unspecified denial of service by registering a large number of users.

CVSS: 2.6 CWE: N/A View on NVD
Medium

CVE-2006-0891

Multiple directory traversal vulnerabilities in NOCC Webmail 1.0 allow remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing NULL (%00) byte in (1) the _SESSION['nocc_…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0894

Multiple cross-site scripting (XSS) vulnerabilities in NOCC Webmail 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the html_error_occurred parameter in error.php, (2) html_…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0895

NOCC Webmail 1.0 allows remote attackers to obtain the installation path via a direct request to html/header.php.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0896

Cross-site scripting (XSS) vulnerability in Sources/Register.php in Simple Machine Forum (SMF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For HTTP header…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2006-02-24
Medium

CVE-2006-0872

Directory traversal vulnerability in init.inc.php in Coppermine Photo Gallery 1.4.3 and earlier allows remote attackers to include arbitrary files via a .. (dot dot) sequence and trailing NULL (%00)…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0873

Absolute path traversal vulnerability in docs/showdocs.php in Coppermine Photo Gallery 1.4.3 and earlier allows remote attackers to include arbitrary files via the f parameter, and possibly remote fi…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0875

Cross-site scripting vulnerability in ratefile.php in RunCMS 1.3a5 allows remote attackers to inject arbitrary web script or HTML via the lid parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0878

Noah's Classifieds 1.3 allows remote attackers to obtain the installation path via a direct request to include files, as demonstrated by classifieds/gorum/category.php.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0880

Multiple cross-site scripting (XSS) vulnerabilities in index.php in Noah's Classifieds 1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) inf parameter; or, when register_g…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2006-0881

Multiple PHP remote file include vulnerabilities in gorum/gorumlib.php in Noah's Classifieds 1.3, when register_globals is enabled, allow remote attackers to include arbitrary PHP files via the (1) u…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0882

Directory traversal vulnerability in include.php in Noah's Classifieds 1.3 allows remote attackers to include arbitrary local files via the otherTemplate parameter to index.php.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0188

webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site…

CVSS: 4.3 CWE: N/A View on NVD
2006-02-23
High

CVE-2006-0856

SQL injection vulnerability in login.php in Scriptme SmE GB Host 1.21 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the Username parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0869

Directory traversal vulnerability in the "remember me" feature in liveuser.php in PHP Extension and Application Repository (PEAR) LiveUser 0.16.8 and earlier allows remote attackers to determine file…

CVSS: 6.4 CWE: N/A View on NVD
High

CVE-2006-0850

SQL injection vulnerability in include/includes/user/login.php in ilchClan before 1.05g allows remote attackers to execute arbitrary SQL commands via the login_name parameter. NOTE: the provenance o…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0852

Direct static code injection vulnerability in write.php in Admbook 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via the X-Forwarded-For HTTP header field, which is inserted…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0854

PHP remote file inclusion vulnerability in common.php in Intensive Point iUser Ecommerce allows remote attackers to include arbitrary files via a URL in the include_path variable, which is not initia…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2006-02-22
High

CVE-2006-0835

SQL injection vulnerability in dropbase.php in MitriDAT Web Calendar Pro allows remote attackers to modify internal SQL queries and cause a denial of service (inaccessible database) via the tabls par…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0840

manage_user_page.php in Mantis 1.00rc4 and earlier does not properly handle a sort parameter containing a ' (quote) character, which allows remote attackers to trigger a SQL error that may be repeate…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0841

Multiple cross-site scripting (XSS) vulnerabilities in Mantis 1.00rc4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) hide_status, (2) handler_id, (3) user_monit…

CVSS: 4.3 CWE: N/A View on NVD
2006-02-21
High

CVE-2006-0821

SQL injection vulnerability in index.php in BXCP 0.299 allows remote attackers to execute arbitrary SQL commands via the tid parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0823

Multiple SQL injection vulnerabilities in Geeklog 1.4.0 before 1.4.0sr1 and 1.3.11 before 1.3.11sr4 allow remote attackers to inject arbitrary SQL commands via the (1) userid variable to users.php or…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0824

Multiple unspecified vulnerabilities in lib-common.php in Geeklog 1.4.0 before 1.4.0sr1 and 1.3.11 before 1.3.11sr4 allow remote attackers to include arbitrary local files and execute arbitrary code…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0831

PHP remote file include vulnerability in index.php in Tasarim Rehberi allows remote attackers to execute arbitrary PHP code via a URL in the (1) sayfaadi or (2) sayfa parameter. NOTE: this might be…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0805

The CAPTCHA functionality in php-Nuke 6.0 through 7.9 uses fixed challenge/response pairs that only vary once per day based on the User Agent (HTTP_USER_AGENT), which allows remote attackers to bypas…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0806

Multiple cross-site scripting (XSS) vulnerabilities in ADOdb 4.71, as used in multiple packages such as phpESP, allow remote attackers to inject arbitrary web script or HTML via (1) the next_page par…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2006-0809

Multiple SQL injection vulnerabilities in Skate Board 0.9 allow remote attackers to execute arbitrary SQL commands via the (1) usern parameter in (a) sendpass.php, and the (2) usern and (3) passwd pa…

CVSS: 7.5 CWE: N/A View on NVD
Low

CVE-2006-0810

Unspecified vulnerability in config.php in Skate Board 0.9 allows remote authenticated administrators to execute arbitrary PHP code by causing certain variables in config.php to be modified, possibly…

CVSS: 3.5 CWE: N/A View on NVD
Medium

CVE-2006-0811

Cross-site scripting (XSS) vulnerability in reguser.php in Skate Board 0.9 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters involved with the registration for…

CVSS: 4.3 CWE: N/A View on NVD
2006-02-20
Low

CVE-2006-0800

Interpretation conflict in PostNuke 0.761 and earlier allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML tags with a trailing "<" character, which is interpreted as a ">"…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2006-0801

SQL injection vulnerability in the NS-Languages module for PostNuke 0.761 and earlier, when magic_quotes_gpc is off, allows remote attackers to execute arbitrary SQL commands via the language paramet…

CVSS: 5.1 CWE: N/A View on NVD
2006-02-19
High

CVE-2006-0791

PHP remote file inclusion vulnerability in index.php in DreamCost HostAdmin allows remote attackers to include arbitrary files via the $path variable, which is not initialized before use.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0792

Cross-site scripting (XSS) vulnerability in preferences.personal.php in V-webmail 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the newid parameter. NOTE: the provenance o…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0793

frameset.php in V-webmail 1.6.2 allows remote attackers to conduct phishing attacks by referencing arbitrary websites in the rframe parameter. NOTE: the provenance of this information is unknown; th…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0794

help.php in V-webmail 1.6.2 allows remote attackers to obtain the installation path via unspecified invalid parameters. NOTE: the provenance of this information is unknown; the details are obtained…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0796

Cross-site scripting (XSS) vulnerability in default.php in Clever Copy 3.0 allows remote attackers to inject arbitrary web script or HTML via the Subject field when sending private messages (privatem…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0783

Cross-site scripting (XSS) vulnerability in page.php in in Siteframe Beaumont, possibly 5.0.2 or 5.0.1a, allows remote attackers to inject arbitrary web script or HTML via the comment_text parameter…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0785

Absolute path traversal vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier allows remote attackers to include and execute arbitrary local files via a direct request with a path parame…

CVSS: 6.4 CWE: N/A View on NVD
Medium

CVE-2006-0786

Incomplete blacklist vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier, with allow_url_fopen enabled, allows remote attackers to conduct PHP remote file include attacks via a path pa…

CVSS: 5.1 CWE: N/A View on NVD
Medium

CVE-2006-0787

wimpy_trackplays.php in Plaino Wimpy MP3 Player, possibly 5.2 and earlier, allows remote attackers to insert arbitrary strings into trackme.txt via the (1) trackFile, (2) trackArtist, and (3) trackTi…

CVSS: 4.0 CWE: N/A View on NVD
High

CVE-2006-0775

Multiple SQL injection vulnerabilities in show.php in BirthSys 3.1 allow remote attackers to execute arbitrary SQL commands via the $month variable. NOTE: a vector regarding the $date parameter and…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0778

Multiple SQL injection vulnerabilities in XMB Forums 1.9.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) $u2u_select array parameter to u2u.inc.php and (2) $val var…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0779

Cross-site scripting (XSS) vulnerability in u2u.php in XMB Forums 1.9.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter, as demonstrated using a…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2006-02-18
Low

CVE-2006-0770

Cross-site scripting (XSS) vulnerability in calendar.php in MyBulletinBoard (MyBB) 1.0.4 allows remote attackers to inject arbitrary web script or HTML via a URL that is not sanitized before being re…

CVSS: 2.6 CWE: N/A View on NVD
High

CVE-2006-0750

SQL injection vulnerability in army.php in supersmashbrothers (SSB) Army System 2.1.0 for Invision Power Board (IPB) allows remote attackers to execute arbitrary SQL commands via the userstat paramet…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2006-0754

dotProject 2.0.1 and earlier allows remote attackers to obtain sensitive information via direct requests with an invalid baseDir to certain PHP scripts in the db directory, which reveal the path in a…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0755

Multiple PHP remote file include vulnerabilities in dotProject 2.0.1 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary commands via the baseDir parameter in (…

CVSS: 5.6 CWE: N/A View on NVD
Medium

CVE-2006-0756

dotProject 2.0.1 and earlier leaves (1) phpinfo.php and (2) check.php accessible under the /docs/ directory after installation, which allows remote attackers to obtain sensitive configuration informa…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2006-0757

Multiple eval injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary PHP code via (1) the contactgroupid parameter in addressbook.update.php, (2) the messag…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0758

Multiple cross-site scripting (XSS) vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to inject arbitrary web script or HTML via a URL encoded expression in the query string in (1) i…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2006-0759

Multiple SQL injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the contactgroupid parameter in addressbook.update.php, (2) the mes…

CVSS: 7.5 CWE: N/A View on NVD
Low

CVE-2006-0760

LightTPD 1.4.8 and earlier, when the web root is on a case-insensitive filesystem, allows remote attackers to bypass URL checks and obtain sensitive information via file extensions with unexpected ca…

CVSS: 2.6 CWE: N/A View on NVD
2006-02-16
High

CVE-2006-0679

SQL injection vulnerability in index.php in the Your_Account module in PHP-Nuke 7.8 and earlier allows remote attackers to execute arbitrary SQL commands via the username variable (Nickname field).

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0721

SQL injection vulnerability in pmlite.php in RunCMS 1.2 and 1.3a allows remote attackers to execute arbitrary SQL commands via the to_userid parameter.

CVSS: 7.5 CWE: N/A View on NVD
Low

CVE-2006-0722

settings.php in Reamday Enterprises Magic Downloads 1.1.3, when register_globals is enabled, allows remote attackers to modify program behavior, potentially bypassing authentication controls, via mod…

CVSS: 2.6 CWE: N/A View on NVD
Low

CVE-2006-0723

PHP remote file inclusion vulnerability in preview.php in Reamday Enterprises Magic News Lite 1.2.3, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in…

CVSS: 2.6 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Low

CVE-2006-0724

profile.php in Reamday Enterprises Magic News Lite 1.2.3, when register_globals is enabled, allows remote attackers to modify program behavior, potentially bypassing authentication controls, via modi…

CVSS: 2.6 CWE: N/A View on NVD
Medium

CVE-2006-0725

PHP remote file inclusion vulnerability in prepend.php in Plume CMS 1.0.2, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the _PX_config[manager_pat…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2006-0726

Cross-site scripting (XSS) vulnerability in linking.php in CPG-Nuke Dragonfly CMS 9.0.6.1 allows remote attackers to inject arbitrary web script or HTML via a URI that is generated when creating a li…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2006-0727

SQL injection vulnerability in mstrack.php in MusOX DF MSAnalysis (DFMSA), as used in some environments that use CPG-Nuke Dragonfly CMS, allows remote attackers to trigger path disclosure from a SQL…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0728

SQL injection vulnerability in search.php in webSPELL 4.01.00 and earlier allows remote attackers to inject arbitrary SQL commands via the title_op parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0729

SQL injection vulnerability in functions.php in Teca Diary PE 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) yy, (2) mm, and (3) dd parameters.

CVSS: 7.5 CWE: N/A View on NVD
2006-02-15
High

CVE-2006-0719

SQL injection vulnerability in member_login.php in PHP Classifieds 6.18 through 6.20 allows remote attackers to execute arbitrary SQL commands via the (1) username parameter, which is used by the E-m…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0688

PHP remote file include vulnerability in application.php in nicecoder.com indexu 5.0.0 and 5.0.1 allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0691

edituser.php in TTS Time Tracking Software 3.0 does not verify that the name and password are correct, which allows remote attackers to overwrite arbitrary data belonging to any account.

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2006-0692

Multiple SQL injection vulnerabilities in Carey Briggs PHP/MYSQL Timesheet 1 and 2 allow remote attackers to execute arbitrary SQL commands via the (1) yr, (2) month, (3) day, and (4) job parameters…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2006-0693

Multiple SQL injection vulnerabilities in rb_auth.php in Roberto Butti CALimba 0.99.2 beta and earlier allow remote attackers to execute arbitrary SQL commands and bypass login authentication via the…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0694

Unspecified vulnerability in the loaders (load_*.php) in Ansilove before 1.03 allows remote attackers to read arbitrary files via unspecified vectors involving "converting files accessible by the web…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0699

Cross-site scripting (XSS) vulnerability in search.php in QWikiWiki 1.5, and possibly 1.5.1 and other versions, allows remote attackers to inject arbitrary web script or HTML via the query parameter.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0700

imageVue 16.1 allows remote attackers to obtain folder permission settings via a direct request to dir.php, which returns an XML document that lists folders and their permissions.

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2006-0701

readfolder.php in imageVue 16.1 allows remote attackers to list directories via modified path and ext parameters.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0702

admin/upload.php in imageVue 16.1 allows remote attackers to upload arbitrary files to certain allowed folders via .. (dot dot) sequences in the path parameter. NOTE: due to the lack of details, the…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0703

Unspecified vulnerability in index.php in imageVue 16.1 has unknown impact, probably a cross-site scripting (XSS) vulnerability involving the query string that is not quoted when inserted into style…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0706

Cross-site scripting vulnerability in eintrag.php in Gästebuch (Gastebuch) before 1.3.3 allows remote attackers to inject arbitrary web script or HTML via the URL, which is used in the homepage param…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2006-0713

Directory traversal vulnerability in LinPHA 1.0 allows remote attackers to include arbitrary files via .. (dot dot) sequences in the (1) lang parameter in docs/index.php and the language parameter in…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0714

Directory traversal vulnerability in the installation file (sql/install-0.9.7.php) in Flyspray 0.9.7 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the adodbpath pa…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2006-0716

SQL injection vulnerability in index.php in sNews 1.3 allows remote attackers to execute arbitrary SQL commands via the (1) category and (2) id parameters.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0684

change_password.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not verify the old password when a user changes the password, which may allow remote attackers to gain unauthoriz…

CVSS: 7.5 CWE: N/A View on NVD
Critical

CVE-2006-0685

The check_login function in login.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not exit when authentication fails, which allows remote attackers to gain unauthorized access.

CVSS: 10.0 CWE: N/A View on NVD
Critical

CVE-2006-0686

add_user.php in Virtual Hosting Control System (VHCS) 2.4.7.1 and earlier does not check user privileges when adding a new administrative user, which allows remote attackers to gain unauthorized acce…

CVSS: 10.0 CWE: N/A View on NVD
Medium

CVE-2006-0687

process.php in DocMGR 0.54.2 does not initialize the $siteModInfo variable when a direct request is made, which allows remote attackers to include arbitrary local files or possibly remote files via a…

CVSS: 5.0 CWE: N/A View on NVD
2006-02-13
High

CVE-2006-0668

SQL injection vulnerability in index.php in PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter, possibly in message.php in the espace_membre module. NOTE: th…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0673

Multiple SQL injection vulnerabilities in cms/index.php in Magic Calendar Lite 1.02, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the (1) $total_login…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0675

Cross-site scripting (XSS) vulnerability in search.php in Siteframe 5.0.1 allows remote attackers to inject arbitrary web script or HTML via the q parameter.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0676

Cross-site scripting (XSS) vulnerability in header.php in PHP-Nuke 6.0 to 7.8 allows remote attackers to inject arbitrary web script or HTML via the pagetitle parameter.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2006-0648

Multiple directory traversal vulnerabilities in PHP iCalendar 2.0.1, 2.1, and 2.2 allow remote attackers to include arbitrary files via the (1) getdate and possibly other parameters used in the repla…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0650

Cross-site scripting (XSS) vulnerability in cpaint2.inc.php in the CPAINT library before 2.0.3, as used in multiple scripts, allows remote attackers to inject arbitrary web script or HTML via the cpa…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2006-0651

SQL injection vulnerability in index.php in vwdev allows remote attackers to execute arbitrary SQL commands via the UID parameter in the definition Page.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0654

check.php in Hinton Design phpht Topsites 1.3 does not validate passwords when using cookies, which allows remote attackers to bypass authentication via unspecified cookies.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0655

Multiple cross-site scripting (XSS) vulnerabilities in (1) link_edited.php and (2) link_added.php in Hinton Design phpht Topsites 1.3 allow remote attackers to inject arbitrary web script or HTML via…

CVSS: 4.3 CWE: N/A View on NVD
Low

CVE-2006-0657

Cross-site scripting (XSS) vulnerability in Softcomplex PHP Event Calendar 1.5 allows remote authenticated users to inject arbitrary web script or HTML, and corrupt data, via the (1) username and (2)…

CVSS: 3.5 CWE: N/A View on NVD
Medium

CVE-2006-0658

Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the fi…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0659

Multiple PHP remote file include vulnerabilities in RunCMS 1.2 and earlier, with register_globals and allow_url_fopen enabled, allow remote attackers to execute arbitrary code via the bbPath[path] pa…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2006-0660

Multiple directory traversal vulnerabilities in FarsiNews 2.5 and earlier allows remote attackers to (1) read arbitrary files or trigger an error message path disclosure via ".." or invalid names in…

CVSS: 6.4 CWE: N/A View on NVD
Medium

CVE-2006-0664

Cross-site scripting (XSS) vulnerability in config_defaults_inc.php in Mantis before 1.0 allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. NOTE: the provenan…

CVSS: 4.3 CWE: N/A View on NVD
Critical

CVE-2006-0665

Unspecified vulnerability in (1) query_store.php and (2) manage_proj_create.php in Mantis before 1.0.0 has unknown impact and attack vectors. NOTE: the provenance of this information is unknown; the…

CVSS: 10.0 CWE: N/A View on NVD
2006-02-10
Medium

CVE-2006-0633

The make_password function in ipsclass.php in Invision Power Board (IPB) 2.1.4 uses random data generated from partially predictable seeds to create the authentication code that is sent by e-mail to…

CVSS: 6.4 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2006-0636

desktop.php in eyeOS 0.8.9 and earlier tests for the existence of the _SESSION variable before calling the session_start function, which allows remote attackers to execute arbitrary PHP code and poss…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0638

SQL injection vulnerability in moderation.php in MyBB (aka MyBulletinBoard) 1.0.3 allows remote authenticated users, with certain privileges for moderating and merging posts, to execute arbitrary SQL…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2006-0639

Cross-site scripting (XSS) vulnerability in search.php in MyBB (aka MyBulletinBoard) 1.0.2 allows remote attackers with knowledge of the table prefix to inject arbitrary web script or HTML via a URL…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2006-0644

Multiple directory traversal vulnerabilities in install.php in CPG-Nuke Dragonfly CMS (aka CPG Dragonfly CMS) 9.0.6.1 allow remote attackers to include and execute arbitrary local files via directory…

CVSS: 7.5 CWE: N/A View on NVD
2006-02-09
Medium

CVE-2006-0625

Directory traversal vulnerability in Spip_RSS.PHP in SPIP 1.8.2g and earlier allows remote attackers to read or include arbitrary files via ".." sequences in the GLOBALS[type_urls] parameter, which…

CVSS: 6.4 CWE: N/A View on NVD
High

CVE-2006-0610

Multiple SQL injection vulnerabilities in 2200net Calendar system 1.2, with gpc_magic_quotes disabled, allow remote attackers to execute arbitrary SQL commands and bypass authentication via (1) the f…

CVSS: 7.5 CWE: N/A View on NVD
2006-02-08
High

CVE-2006-0602

Multiple SQL injection vulnerabilities in Hinton Design phphg Guestbook 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) username parameter to check.php or the id parameter to…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2006-0603

Multiple cross-site scripting vulnerabilities in signed.php in Hinton Design phphg Guestbook 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) location, (2) website, or (3…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2006-0604

check.php in Hinton Design phphg Guestbook 1.2 does not check the user password when authenticating via cookies, which allows remote attackers to gain unauthorized access.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0607

check.php in Hinton Design phphd 1.0 does not check passwords when certain cookies are provided, which allows remote attackers to bypass authentication.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2006-0608

Multiple SQL injection vulnerabilities in Hinton Design phphd 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the username parameter to check.php or (2) unknown attack vectors to…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0609

Cross-site scripting (XSS) vulnerability in add.php in Hinton Design phphd 1.0 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2006-0583

SQL injection vulnerability in mailarticle.php in Clever Copy 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0587

Unspecified vulnerability in util.php in Gallery before 1.5.2-pl2 allows remote authenticated users with trick an owner into modifying stored album data and possibly executing arbitrary code via unsp…

CVSS: 6.5 CWE: N/A View on NVD
High

CVE-2006-0588

SQL injection vulnerability in search.php in MyTopix 1.2.3 allows remote attackers to execute arbitrary SQL commands via the (1) mid and (2) keywords parameters.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2006-0589

MyTopix 1.2.3 allows remote attackers to obtain the installation path via a direct request to logon.mod.php, which leaks the path in an error message.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0590

MyTopix 1.2.3 allows remote attackers to obtain the installation path via an invalid hl parameter to index.php, which leads to path disclosure, possibly related to invalid SQL syntax.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2006-0593

Cross-site scripting (XSS) vulnerability in PHP-Fusion before 6.00.304 allows remote attackers to inject arbitrary web script or HTML via the (1) shout_name field in shoutbox_panel.php and the (2) co…

CVSS: 4.3 CWE: N/A View on NVD
2006-02-07
Medium

CVE-2006-0569

Cross-site scripting (XSS) vulnerability in user_class.php in Papoo 2.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the username field during the registration of…

CVSS: 4.3 CWE: N/A View on NVD