E107
by E107
Source repositories
CVEs (89)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2003-1191 | 0.04 | — | 0.08 | Oct 29, 2003 | chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded. | |||
| CVE-2021-27885 | Hig | 0.03 | 8.8 | 0.03 | Mar 2, 2021 | usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. | ||
| CVE-2015-1057 | 0.03 | — | 0.03 | Jan 16, 2015 | Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value. | |||
| CVE-2013-2750 | 0.03 | — | 0.03 | Jan 22, 2014 | Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string. | |||
| CVE-2012-6434 | 0.03 | — | 0.01 | Jan 3, 2013 | Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3)… | |||
| CVE-2012-6433 | 0.03 | — | 0.02 | Jan 3, 2013 | Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action. | |||
| CVE-2011-5186 | 0.03 | — | 0.01 | Sep 20, 2012 | Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop plugin for e107 7 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter. | |||
| CVE-2011-1513 | 0.03 | — | 0.06 | Nov 4, 2011 | Static code injection vulnerability in install_.php in e107 CMS 0.7.24 and probably earlier versions, when the installation script is not removed, allows remote attackers to inject arbitrary PHP code into e107_config.php via a crafted MySQL server name. | |||
| CVE-2010-2099 | 0.03 | — | 0.05 | May 27, 2010 | bbcode/php.bb in e107 0.7.20 and earlier does not perform access control checks for all inputs that could contain the php bbcode tag, which allows remote attackers to execute arbitrary PHP code, as demonstrated using the toEmail method in contact.php, related to invocations of… | |||
| CVE-2009-3444 | 0.03 | — | 0.02 | Sep 28, 2009 | Cross-site scripting (XSS) vulnerability in email.php in e107 0.7.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header in a news.1 (aka news to email) action. | |||
| CVE-2009-1409 | 0.03 | — | 0.01 | Apr 24, 2009 | SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and… | |||
| CVE-2008-5320 | 0.03 | — | 0.02 | Dec 3, 2008 | SQL injection vulnerability in usersettings.php in e107 0.7.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the ue[] parameter. | |||
| CVE-2008-4906 | 0.03 | — | 0.01 | Nov 4, 2008 | SQL injection vulnerability in lyrics_song.php in the Lyrics (lyrics_menu) plugin 0.42 for e107 allows remote attackers to execute arbitrary SQL commands via the l_id parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-4785 | 0.03 | — | 0.01 | Oct 29, 2008 | SQL injection vulnerability in newuser.php in the alternate_profiles plugin, possibly 0.2, for e107 allows remote attackers to execute arbitrary SQL commands via the id parameter. | |||
| CVE-2008-1702 | 0.03 | — | 0.06 | Apr 8, 2008 | Absolute path traversal vulnerability in dload.php in the my_gallery 2.3 plugin for e107 allows remote attackers to obtain sensitive information via a full pathname in the file parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2007-3429 | 0.03 | — | 0.02 | Jun 27, 2007 | Unrestricted file upload vulnerability in signup.php in e107 0.7.8 and earlier, when photograph upload is enabled, allows remote attackers to upload and execute arbitrary PHP code via a filename with a double extension such as .php.jpg. | |||
| CVE-2006-5786 | 0.03 | — | 0.02 | Nov 7, 2006 | Directory traversal vulnerability in class2.php in e107 0.7.5 and earlier allows remote attackers to read and execute PHP code in arbitrary files via ".." sequences in the e107language_e107cookie cookie to gsitemap.php. | |||
| CVE-2006-4794 | 0.03 | — | 0.05 | Sep 14, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the query string (PATH_INFO) in (1) contact.php, (2) download.php, (3) admin.php, (4) fpw.php, (5) news.php, (6) search.php, (7) signup.php, (8)… | |||
| CVE-2006-3259 | 0.03 | — | 0.04 | Jun 27, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) ep parameter to search.php and the (2) subject parameter in comment.php (aka the Subject field when posting a comment). | |||
| CVE-2006-0857 | 0.03 | — | 0.03 | Feb 23, 2006 | Cross-site scripting (XSS) vulnerability in Chatbox Plugin 1.0 in e107 0.7.2 allows remote attackers to inject arbitrary HTML or web script via a Chatbox, as demonstrated using a SCRIPT element. |
- CVE-2003-1191Oct 29, 2003risk 0.04cvss —epss 0.08
chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded.
- risk 0.03cvss 8.8epss 0.03
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.
- CVE-2015-1057Jan 16, 2015risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value.
- CVE-2013-2750Jan 22, 2014risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string.
- CVE-2012-6434Jan 3, 2013risk 0.03cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3)…
- CVE-2012-6433Jan 3, 2013risk 0.03cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action.
- CVE-2011-5186Sep 20, 2012risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop plugin for e107 7 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter.
- CVE-2011-1513Nov 4, 2011risk 0.03cvss —epss 0.06
Static code injection vulnerability in install_.php in e107 CMS 0.7.24 and probably earlier versions, when the installation script is not removed, allows remote attackers to inject arbitrary PHP code into e107_config.php via a crafted MySQL server name.
- CVE-2010-2099May 27, 2010risk 0.03cvss —epss 0.05
bbcode/php.bb in e107 0.7.20 and earlier does not perform access control checks for all inputs that could contain the php bbcode tag, which allows remote attackers to execute arbitrary PHP code, as demonstrated using the toEmail method in contact.php, related to invocations of…
- CVE-2009-3444Sep 28, 2009risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in email.php in e107 0.7.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header in a news.1 (aka news to email) action.
- CVE-2009-1409Apr 24, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and…
- CVE-2008-5320Dec 3, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in usersettings.php in e107 0.7.13 and earlier allows remote authenticated users to execute arbitrary SQL commands via the ue[] parameter.
- CVE-2008-4906Nov 4, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in lyrics_song.php in the Lyrics (lyrics_menu) plugin 0.42 for e107 allows remote attackers to execute arbitrary SQL commands via the l_id parameter. NOTE: some of these details are obtained from third party information.
- CVE-2008-4785Oct 29, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in newuser.php in the alternate_profiles plugin, possibly 0.2, for e107 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- CVE-2008-1702Apr 8, 2008risk 0.03cvss —epss 0.06
Absolute path traversal vulnerability in dload.php in the my_gallery 2.3 plugin for e107 allows remote attackers to obtain sensitive information via a full pathname in the file parameter. NOTE: some of these details are obtained from third party information.
- CVE-2007-3429Jun 27, 2007risk 0.03cvss —epss 0.02
Unrestricted file upload vulnerability in signup.php in e107 0.7.8 and earlier, when photograph upload is enabled, allows remote attackers to upload and execute arbitrary PHP code via a filename with a double extension such as .php.jpg.
- CVE-2006-5786Nov 7, 2006risk 0.03cvss —epss 0.02
Directory traversal vulnerability in class2.php in e107 0.7.5 and earlier allows remote attackers to read and execute PHP code in arbitrary files via ".." sequences in the e107language_e107cookie cookie to gsitemap.php.
- CVE-2006-4794Sep 14, 2006risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the query string (PATH_INFO) in (1) contact.php, (2) download.php, (3) admin.php, (4) fpw.php, (5) news.php, (6) search.php, (7) signup.php, (8)…
- CVE-2006-3259Jun 27, 2006risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) ep parameter to search.php and the (2) subject parameter in comment.php (aka the Subject field when posting a comment).
- CVE-2006-0857Feb 23, 2006risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Chatbox Plugin 1.0 in e107 0.7.2 allows remote attackers to inject arbitrary HTML or web script via a Chatbox, as demonstrated using a SCRIPT element.
Page 2 of 5