Unrated severityNVD Advisory· Published Mar 20, 2007· Updated Apr 23, 2026

CVE-2007-1520

Description

The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.

Affected products

Phpnuke/Php Nuke13 versions
cpe:2.3:a:phpnuke:php-nuke:*:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:phpnuke:php-nuke:*:*:*:*:*:*:*:*range: <=8.0
- cpe:2.3:a:phpnuke:php-nuke:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpnuke:php-nuke:7.9:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

phpfi.com/214668nvdExploitURL Repurposed
www.ush.it/2007/03/09/php-nuke-wild-post-xss/nvdExploit
www.wisec.it/ush/phpnukexss.htmlnvdExploit
secunia.com/advisories/24629nvdVendor Advisory
osvdb.org/34501nvd
www.securityfocus.com/archive/1/462308/100/100/threadednvd
www.securityfocus.com/archive/1/462575/100/0/threadednvd
www.securityfocus.com/archive/1/462727/100/0/threadednvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000