Php Nuke
Sign in to watchby PHP-Nuke
CVEs (95)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2004-1987 | 0.00 | — | 0.00 | Apr 30, 2004 | picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to execute arbitrary commands via shell metacharacters in the (1) $CONFIG['impath'] or (2) $CONFIG['jpeg_qual'] parameters. | ||
| CVE-2004-1840 | 0.00 | — | 0.00 | Mar 22, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to modules.php, or (4) overview parameter to modules.php. | ||
| CVE-2004-1839 | 0.00 | — | 0.00 | Mar 22, 2004 | MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain sensitive information via a direct request to (1) browsers.php, (2) mstrack.php, or (3) title.php, which reveal the full path in a PHP error message. | ||
| CVE-2003-1526 | 0.00 | — | 0.00 | Dec 31, 2003 | PHP-Nuke 7.0 allows remote attackers to obtain the installation path via certain characters such as (1) ", (2) ', or (3) > in the search field, which reveals the path in an error message. | ||
| CVE-2003-1547 | 0.00 | — | 0.00 | Dec 31, 2003 | Cross-site scripting (XSS) vulnerability in block-Forums.php in the Splatt Forum module for PHP-Nuke 6.x allows remote attackers to inject arbitrary web script or HTML via the subject parameter. | ||
| CVE-2003-0279 | 0.00 | — | 0.00 | Jun 16, 2003 | Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 5.x through 6.5 allows remote attackers to steal sensitive information via numeric fields, as demonstrated using (1) the viewlink function and cid parameter, or (2) index.php. | ||
| CVE-2003-0318 | 0.00 | — | 0.00 | Jun 9, 2003 | Cross-site scripting (XSS) vulnerability in the Statistics module for PHP-Nuke 6.0 and earlier allows remote attackers to insert arbitrary web script via the year parameter. | ||
| CVE-2001-1522 | 0.00 | — | 0.00 | Dec 31, 2001 | Cross-site scripting (XSS) vulnerability in im.php in IMessenger for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via a message. | ||
| CVE-2001-0854 | 0.00 | — | 0.00 | Dec 6, 2001 | PHP-Nuke 5.2 allows remote attackers to copy and delete arbitrary files by calling case.filemanager.php with admin.php as an argument, which sets the $PHP_SELF variable and makes it appear that case.filemanager.php is being called by admin.php instead of the user. | ||
| CVE-2001-0911 | 0.00 | — | 0.00 | Nov 21, 2001 | PHP-Nuke 5.1 stores user and administrator passwords in a base-64 encoded cookie, which could allow remote attackers to gain privileges by stealing or sniffing the cookie and decoding it. | ||
| CVE-2001-1025 | 0.00 | — | 0.00 | Aug 31, 2001 | PHP-Nuke 5.x allows remote attackers to perform arbitrary SQL operations by modifying the "prefix" variable when calling any scripts that do not already define the prefix variable (e.g., by including mainfile.php), such as article.php. | ||
| CVE-2001-0001 | 0.00 | — | 0.00 | Jun 2, 2001 | cookiedecode function in PHP-Nuke 4.4 allows users to bypass authentication and gain access to other user accounts by extracting the authentication information from a cookie. | ||
| CVE-2001-0321 | 0.00 | — | 0.00 | May 3, 2001 | opendir.php script in PHP-Nuke allows remote attackers to read arbitrary files by specifying the filename as an argument to the requesturl parameter. | ||
| CVE-2001-0292 | 0.00 | — | 0.00 | May 3, 2001 | PHP-Nuke 4.4.1a allows remote attackers to modify a user's email address and obtain the password by guessing the user id (UID) and calling user.php with the saveuser operator. | ||
| CVE-2001-0320 | 0.00 | — | 0.00 | May 3, 2001 | bb_smilies.php and bbcode_ref.php in PHP-Nuke 4.4 allows remote attackers to read arbitrary files and gain PHP administrator privileges by inserting a null character and .. (dot dot) sequences into a malformed username argument. |
Page 5 of 5