CVE Daily
← All tags

Tag: PHP

All CVEs associated with "PHP". Page 301/311 • 37316 CVEs.

Subscribe CVEs: RSS for “PHP”  ·  RSS (High+Critical only)

About “PHP”

A curated feed of “PHP”-related CVEs appears below. We currently track 37316 CVEs for this tag (all time). In the last 365 days, 6066 were published. Average CVSS is 6.7 (all time; 6.9 over 365d), and 50% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion').

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2005-07-27
Medium

CVE-2005-2392

Cross-site scripting (XSS) vulnerability in index.php for CMSimple 2.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in the search function.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2393

Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remote attackers to inject arbitrary web script or HTML via (1) the lastusername parameter to index.php or (2) selected_search_arch p…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2394

show_news.php in CuteNews 1.3.6 allows remote attackers to obtain the full path of the server via an invalid archive parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2397

Cross-site scripting (XSS) vulnerability in guestbook.php in phpBook 1.46 allows remote attackers to inject arbitrary web script or HTML via the admin parameter.

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-2398

Multiple SQL injection vulnerabilities in PHP Surveyor 0.98 allows remote attackers to execute arbitrary SQL commands via (1) the sid, start, and id parameters to browse.php, the sid parameter to (2)…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2399

PHP Surveyor 0.98 allows remote attackers to trigger SQL errors via missing parameters to (1) browse.php, (2) export.php, (3) conditions.php, or (4) spss.php.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2400

The inc.login.php scripts in PHPFinance 0.3 allows remote attackers to bypass the login and gain privileges.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2401

PHP-Fusion allows remote attackers to inject arbitrary Cascading Style Sheets (CSS) via the BBCode color tag.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2402

Cross-site scripting (XSS) vulnerability in search.php in PHPSiteSearch 1.7.7d allows remote attackers to inject arbitrary web script or HTML via the query parameter.

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-2404

SQL injection vulnerability in sendcard.php in Sendcard 3.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: N/A View on NVD
2005-07-26
Medium

CVE-2005-2380

Multiple cross-site scripting vulnerabilities in PHP Surveyor 0.98 allow remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) start, and (3) id parameters to browse.php, or th…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2381

PHP Surveyor 0.98 allows remote attackers to obtain sensitive information via a direct request to (1) question.php, (2) survey.php, or (3) group.php in the root directory, a direct request to (4) dat…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-2383

SQL injection vulnerability in auth.php in PHPNews 1.2.5 allows remote attackers to execute arbitrary SQL commands via the user parameter in an HTTP POST request.

CVSS: 7.5 CWE: N/A View on NVD
2005-07-20
Medium

CVE-2005-2328

PHP remote file inclusion vulnerability in im.php in Laffer 0.3.2.6 and 0.3.2.7 allows remote attackers to execute arbitrary PHP code via the CFG_PATH variable.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2330

Directory traversal vulnerability in extras/update.php in osCommerce 2.2 allows remote attackers to read arbitrary files via (1) .. sequences or (2) a full pathname in the readme_file parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2331

PHP remote file inclusion vulnerability in display.php in MooseGallery allows remote attackers to execute arbitrary PHP code via the type parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2332

Cross-site scripting (XSS) vulnerability in PHPPageProtect 1.0.0a allows remote attackers to inject arbitrary web script or HTML via the username parameter to (1) admin.php or (2) login.php.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2333

Cross-site scripting (XSS) vulnerability in smilies_popup.php in SEO-Board 1.0 allows remote attackers to inject arbitrary web script or HTML via the doc parameter.

CVSS: 4.3 CWE: N/A View on NVD
2005-07-19
High

CVE-2005-2312

management.php in Realnode Emilda 1.2.2 and earlier allows remote attackers to perform actions as other users by modifying the user_id parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2314

inc.login.php in PHPsFTPd 0.2 through 0.4 allows remote attackers to obtain the administrator's username and password by setting the do_login parameter and performing an edit action using user.php, w…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2319

PHP remote file include vulnerability in Yawp library 1.0.6 and earlier, as used in YaWiki and possibly other products, allows remote attackers to include arbitrary files via the _Yawp[conf_path] par…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-2320

WebCalendar before 1.0.0 does not properly restrict access to assistant_edit.php, which allows remote attackers to gain privileges.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2321

PHP remote file inclusion vulnerability in CaLogic 1.2.2 allows remote attackers to execute arbitrary code via the CLPATH parameter to (1) cl_minical.php, (2) clmcpreload.php, (3) mcconfig.php, or (4…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2322

Cross-site scripting (XSS) vulnerability in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allows remote attackers to inject arbitrary web script or HTML via the (1) viewuser…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-2323

Multiple SQL injection vulnerabilities in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allow remote attackers to modify SQL statements via the (1) id parameter to viewattac…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2324

Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the searchtype or searchterm parameters to (1) results.php or (…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2325

Clever Copy 2.0 and 2.0a allows remote attackers to obtain the full path of the web root via a direct request to (1) ticker.php, (2) menu.php, (3) banned.php, (4) endlayout.php, (5) randomhlinesblock…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2326

Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the yr parameter to calendar.php.

CVSS: 4.3 CWE: N/A View on NVD
2005-07-18
Medium

CVE-2005-2289

PHPCounter 7.2 allows remote attackers to obtain sensitive information via a direct request to prelims.php, which reveals the path in an error message.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2296

YabbSE 1.5.5c allows remote attackers to obtain sensitive information via a direct request to ssi_examples.php, which reveals the path.

CVSS: 5.0 CWE: N/A View on NVD
2005-07-13
Medium

CVE-2005-2095

options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, cond…

CVSS: 4.3 CWE: N/A View on NVD
Critical

CVE-2005-2249

Multiple unknown vulnerabilities in Jinzora 2.0.1 have unknown impact and attack vectors, possibly involving a PHP file inclusion vulnerability.

CVSS: 10.0 CWE: N/A View on NVD
High

CVE-2005-2251

PHP remote file inclusion vulnerability in secure.php in PHPSecurePages (phpSP) 0.28beta and earlier allows remote attackers to execute arbitrary code via the cfgProgDir parameter, a variant of CVE-2…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2253

SQL injection vulnerability in PhpAuction 2.5 allow remote attackers to modify SQL queries via the category parameter to adsearch.php. NOTE: there is evidence that viewnews.php may not be part of the…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2254

Multiple cross-site scripting (XSS) vulnerabilities in PhpAuction 2.5 allow remote attackers to inject arbitrary web script or HTML via the lan parameter to (1) index.php or (2) admin/index.php, or (…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2005-2255

Directory traversal vulnerability in PhpAuction 2.5 allows remote attackers to read arbitrary files, include local PHP files, or obtain sensitive path information via ".." sequences in the lan param…

CVSS: 6.4 CWE: N/A View on NVD
High

CVE-2005-2258

PHP remote file inclusion vulnerability in photolist.inc.php in Squito Gallery 1.33 allows remote attackers to execute arbitrary code via the photoroot parameter.

CVSS: 7.5 CWE: N/A View on NVD
2005-07-12
High

CVE-2005-2216

PHP remote file inclusion vulnerability in gals.php in PhotoGal Photo Gallery 1.5 and earlier allows remote attackers to execute arbitrary code via the news_file parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2246

Multiple PHP remote file inclusion vulnerabilities in iPhotoAlbum 1.1 allow remote attackers to execute arbitrary code via the (1) doc_path parameter to getpage.php or (2) set_menu parameter to lib/s…

CVSS: 7.5 CWE: N/A View on NVD
2005-07-11
Medium

CVE-2005-2179

PHP remote file inclusion vulnerability in BlogModel.php in Jaws 0.5.2 and earlier allows remote attackers to execute arbitrary PHP code via the path parameter.

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-2183

class.xmail.php in PhpXmail 0.7 through 1.1 does not properly handle large passwords, which prevents an error message from being returned and allows remote attackers to bypass authentication and gain…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2193

SQL injection vulnerability in the user profile edit module in profile.php for PunBB 1.2.5 and earlier allows remote attackers to execute arbitrary SQL statements via the temp array, which is not ini…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2197

SQL injection vulnerability in sql.cls.php in Id Board 1.1.3 allows remote attackers to modify SQL queries, as demonstrated using the f parameter to index.php.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2198

PHP remote file inclusion vulnerability in lang.php in SPiD before 1.3.1 allows remote attackers to execute arbitrary code via the lang_path parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2199

PHP remote file inclusion vulnerability in inc/functions.inc.php in PPA web photo gallery 0.5.6 allows remote attackers to execute arbitrary code via the config[ppa_root_path] variable.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2203

login.php in phpWishlist before 0.1.15 allows remote attackers to bypass authentication via a direct request to admin.php.

CVSS: 7.5 CWE: N/A View on NVD
2005-07-06
High

CVE-2005-2148

Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value i…

CVSS: 7.5 CWE: N/A View on NVD
Critical

CVE-2005-2149

config.php in Cacti 0.8.6e and earlier allows remote attackers to set the no_http_headers switch, then modify session information to gain privileges and disable the use of addslashes to conduct SQL i…

CVSS: 10.0 CWE: N/A View on NVD
High

CVE-2005-2153

SQL injection vulnerability in class.ticket.php in osTicket 1.3.1 beta and earlier allows remote attackers to execute arbitrary SQL commands via the ticket variable.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2154

PHP local file inclusion vulnerability in (1) view.php and (2) open.php in osTicket 1.3.1 beta and earlier allows remote attackers to include and possibly execute arbitrary local files via the inc pa…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2155

PHP remote file inclusion vulnerability in EasyPHPCalendar 6.1.5 and earlier allows remote attackers to execute arbitrary code via the serverPath parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-2156

SQL injection vulnerability in news.php in PHPNews 1.2.5 allows remote attackers to execute arbitrary SQL commands via the prevnext parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2157

PHP remote file inclusion vulnerability in survey.inc.php for nabopoll 1.2 allows remote attackers to execute arbitrary PHP code via the path parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2162

PHP remote file inclusion vulnerability in form.inc.php3 in MyGuestbook 0.6.1 allows remote attackers to execute arbitrary PHP code via the lang parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2163

Cross-site scripting (XSS) vulnerability in index.php in AutoIndex PHP Script 1.5.2 allows remote attackers to inject arbitrary web script or HTML via the search parameter.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2166

SQL injection vulnerability in index.php in Plague News System 0.6 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2167

Cross-site scripting (XSS) vulnerability in index.php in Plague News System 0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the cid parameter.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2168

delete.php in Plague News System 0.6 and earlier allows remote unauthenticated attackers to delete news, comments, and shoutbox posts by modifying the id parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2169

Directory traversal vulnerability in source.php in Quick & Dirty PHPSource Printer 1.1 and earlier allows remote attackers to read arbitrary files via ".../...//" sequences in the file parameter, whi…

CVSS: 5.0 CWE: N/A View on NVD
2005-07-05
High

CVE-2005-1921

Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Low

CVE-2005-1932

Lpanel 1.59 and earlier, and other versions before 1.597, allows remote authenticated users to modify certain critical variables and (1) modify DNS settings for arbitrary domains via the domain param…

CVSS: 2.1 CWE: N/A View on NVD
High

CVE-2005-2086

PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2106

Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2107

Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2109

wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2110

WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.p…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2112

Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parame…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2138

Cross-site scripting (XSS) vulnerability in index.php in Comdev eCommerce 3.0 and 3.1 allows remote attackers to inject arbitrary web script or HTML via Javascript in the onMouseOver event of an "A"…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2139

PHP remote file inclusion vulnerability in user_check.php for Pavsta Auto Site allows remote attackers to execute arbitrary PHP code via the sitepath parameter.

CVSS: 5.0 CWE: N/A View on NVD
2005-06-29
Medium

CVE-2005-2057

Multiple cross-site scripting (XSS) vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to inject arbitrary web script or HTML via the (1) Searchpage parameter to dosearch…

CVSS: 6.8 CWE: N/A View on NVD
High

CVE-2005-2058

Multiple SQL injection vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to execute arbitrary SQL commands via the Number parameter to (1) download.php, (2) modifypost.p…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2059

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow…

CVSS: 6.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2005-2060

Multiple HTTP Response Splitting vulnerabilities in (1) toggleshow.php, (2) togglecats.php, and (3) showprofile.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to spoof web conten…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2074

Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.0.105 allows remote attackers to inject arbitrary web script or HTML via a news or article post, possibly involving the (1) news_body, (2) art…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2075

PHP-Fusion 5.0 and 6.0 stores the database file with a predictable filename under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information…

CVSS: 5.0 CWE: N/A View on NVD
2005-06-28
Medium

CVE-2005-2053

Just another flat file (JAF) CMS before 3.0 Final allows remote attackers to obtain sensitive information via (1) an * (asterisk) in the id parameter, (2) a blank id parameter, or (3) an * (asterisk)…

CVSS: 5.0 CWE: N/A View on NVD
2005-06-22
Medium

CVE-2005-1524

PHP file inclusion vulnerability in top_graph_header.php in Cacti 0.8.6d and possibly earlier versions allows remote attackers to execute arbitrary PHP code via the config[library_path] parameter.

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-1525

SQL injection vulnerability in config_settings.php for Cacti before 0.8.6e allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-1526

PHP remote file inclusion vulnerability in config_settings.php in Cacti before 0.8.6e allows remote attackers to execute arbitrary PHP code via the config[include_path] parameter.

CVSS: 7.5 CWE: N/A View on NVD
2005-06-21
High

CVE-2005-2028

SQL injection vulnerability in index.php for MercuryBoard 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header.

CVSS: 7.5 CWE: N/A View on NVD
2005-06-20
Medium

CVE-2005-2013

paFAQ 1.0 Beta 4 allows remote attackers to obtain sensitive information via a direct request to admin/backup.php, which contains a backup of the database including usernames and passwords.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2014

The "upload a language pack" feature in paFAQ 1.0 Beta 4 allows remote authenticated administrators to execute arbitrary PHP commands by uploading a malicious language pack.

CVSS: 4.6 CWE: N/A View on NVD
2005-06-17
Medium

CVE-2005-2004

Multiple cross-site scripting vulnerabilities in Ultimate PHP Board (UPB) 1.9.6 GOLD and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ref parameter to login.php,…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-2029

amaroK Web Frontend 1.3 stores the globals.inc file under the web root without a .php extension and insufficient access control, which allows remote attackers to obtain the database username and pass…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2043

Directory traversal vulnerability in XAMPP before 1.4.14 allows remote attackers to inject arbitrary HTML and PHP code via lang.php.

CVSS: 5.0 CWE: N/A View on NVD
2005-06-16
High

CVE-2005-1949

The eping_validaddr function in functions.php for the ePing plugin for e107 portal allows remote attackers to execute arbitrary commands via shell metacharacters after a valid argument to the eping_h…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-1951

Multiple HTTP Response Splitting vulnerabilities in osCommerce 2.2 Milestone 2 and earlier allow remote attackers to spoof web content and poison web caches via hex-encoded CRLF ("%0d%0a") sequences…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1954

singapore 0.9.11 allows remote attackers to obtain sensitive information via a direct request to (1) admin.class.php, (2) any .tpl.php file in templates/admin_default/, or (3) any .tpl.php file in te…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1962

Cross-site scripting (XSS) vulnerability in Cerberus Helpdesk 0.97.3 allows remote attackers to inject arbitrary web script or HTML via the (1) errorcode parameter to index.php or (2) certain fields…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-1963

Cerberus Helpdesk 0.97.3 allows remote attackers to obtain sensitive information via certain requests to (1) reports.php, (2) knowledgebase.php, or (3) configuration.php, which leaks the information…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-1965

PHP remote file inclusion vulnerability in siteframe.php for Broadpool Siteframe allows remote attackers to execute arbitrary code via a URL in the LOCAL_PATH parameter.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2005-1975

Multiple cross-site scripting (XSS) vulnerabilities in Annuaire 1Two 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the id parameter to index.php, or the (2) si…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-2003

Ultimate PHP Board (UPB) 1.9.6 GOLD allows remote attackers to obtain sensitive information via an invalid (zero) id parameter to (1) viewtopic.php, (2) profile.php, or (3) newpost.php, which reveals…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2005

Ultimate PHP Board (UPB) 1.9.6 GOLD and earlier stores the users.dat file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information o…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2030

Ultimate PHP Board (UPB) 1.9.6 GOLD uses weak encryption for passwords in the users.dat file, which allows attackers to easily decrypt the passwords and gain privileges, possibly after exploiting CVE…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-2031

Multiple SQL injection vulnerabilities in socialMPN allow remote attackers to execute arbitrary SQL commands via (1) the sid parameter to article.php, (2) uname parameter to user.php, (3) siteid para…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2044

Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) sub…

CVSS: 4.3 CWE: N/A View on NVD
2005-06-15
Medium

CVE-2005-1995

Bitrix Site Manager 4.0.x allows remote attackers to obtain sensitive information via direct request to (1) subscr_form.php or (2) dbquery_error.php, which reveals the path in an error message.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1996

PHP remote file inclusion vulnerability in start.php in Bitrix Site Manager 4.0.x allows remote attackers to execute arbitrary PHP code via the _SERVER[DOCUMENT_ROOT] parameter.

CVSS: 5.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2005-1997

show.php in McGallery 1.1 allows remote attackers to connect to arbitrary databases, or gain sensitive information by triggering an error, via a modified host parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1998

Directory traversal vulnerability in admin.php in McGallery 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1999

Multiple cross-site scripting (XSS) vulnerabilities in pafiledb.php in paFileDB 3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) sortby or (2) filelist parameters to the…

CVSS: 4.3 CWE: N/A View on NVD
High

CVE-2005-2000

Multiple SQL injection vulnerabilities in paFileDB 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the formname parameter (1) in the login form, (2) in the team login for…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-2001

Directory traversal vulnerability in pafiledb.php in paFileDB 3.1 and earlier allows remote attackers to include arbitrary files via a .. (dot dot) in the action parameter.

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-2002

SQL injection vulnerability in content.php in Mambo 4.5.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user_rating parameter.

CVSS: 7.5 CWE: N/A View on NVD
2005-06-12
Medium

CVE-2005-1955

Cross-site scripting (XSS) vulnerability in index.php in singapore 0.9.11 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter.

CVSS: 4.3 CWE: N/A View on NVD
2005-06-09
Medium

CVE-2005-1864

PHP remote file inclusion vulnerability in cal_admintop.php in Calendarix Advanced 1.5 allows remote attackers to execute arbitrary PHP code via the calpath parameter.

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2005-1865

Multiple SQL injection vulnerabilities in Calendarix Advanced 1.5 allow remote attackers to execute arbitrary SQL commands via the catview parameter to (1) cal_week.php, (2) cal_cat.php, or (3) cal_d…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2005-1868

I-Man 0.9, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code by uploading a file attachment with a .php extension.

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2005-1870

PHP remote file inclusion vulnerability in childwindow.inc.php in Popper 1.41-r2 and earlier allows remote attackers to execute arbitrary PHP code via the form parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1876

Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a temp…

CVSS: 4.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2005-1882

PHP remote file inclusion vulnerability in last_gallery.php in YaPiG 0.93u and 0.94u allows remote attackers to execute arbitrary PHP code via the YAPIG_PATH parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2005-1883

global.php in YaPiG 0.92b allows remote attackers to include arbitrary local files via the BASE_DIR parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1884

Directory traversal vulnerability in the (1) rmdir or (2) mkdir commands in upload.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to create or delete arbitrary directories via a .. (dot…

CVSS: 6.4 CWE: N/A View on NVD
Medium

CVE-2005-1886

Cross-site scripting (XSS) vulnerability in view.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to inject arbitrary web script or HTML via (1) the phid parameter or (2) unknown parameter…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-1892

FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests…

CVSS: 6.4 CWE: CWE-425 - Direct Request ('Forced Browsing') View on NVD
High

CVE-2005-1894

Direct code injection vulnerability in FlatNuke 2.5.3 allows remote attackers to execute arbitrary PHP code by placing the code into the Referer header of an HTTP request, which causes the code to be…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2005-1895

Cross-site scripting (XSS) vulnerability in FlatNuke 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the border or back parameters to (1) help.php or (2) footer.php.

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2005-1896

Directory traversal vulnerability in thumb.php in FlatNuke 2.5.3 allows remote attackers to read arbitrary images or obtain the installation path via the image parameter.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-1898

The passthrough functionality in phpThumb.php in phpThumb() before 1.5.4 allows remote attackers to read files that are not images.

CVSS: 5.0 CWE: N/A View on NVD