VYPR

E107

by E107

Source repositories

CVEs (89)

  • CVE-2005-2327Jul 20, 2005
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in e107 0.617 and earlier allows remote attackers to inject arbitrary web script or HTML via nested [url] BBCode tags.

  • CVE-2004-2040May 29, 2004
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in e107 0.615 allow remote attackers to inject arbitrary web script or HTML via the (1) LAN_407 parameter to clock_menu.php, (2) "email article to a friend" field, (3) "submit news" field, or (4) avmsg parameter to…

  • CVE-2004-2028May 21, 2004
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in stats.php in e107 allows remote attackers to inject arbitrary web script or HTML via the referer parameter to log.php.

  • CVE-2022-50939Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains a critical file upload vulnerability that allows authenticated administrators to override arbitrary server files through path traversal. The vulnerability exists in the Media Manager's remote URL upload functionality (image.php) where the…

  • CVE-2022-50916Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrators to override server files through the Media Manager import functionality. Attackers can exploit the upload mechanism by manipulating the upload URL parameter to overwrite existing…

  • CVE-2022-50907Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains a file upload vulnerability that allows authenticated administrative users to bypass upload restrictions and execute PHP files. Attackers can upload malicious PHP files to parent directories by manipulating the upload URL parameter, enabling…

  • CVE-2022-50906Jan 13, 2026
    risk 0.00cvss epss 0.00

    e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. Attackers with admin privileges can exploit this vulnerability to upload SVG files with embedded cross-site…

  • CVE-2022-50905Jan 13, 2026
    risk 0.00cvss epss 0.01

    e107 CMS version 3.2.1 contains multiple vulnerabilities that allow cross-site scripting (XSS) attacks. The first vulnerability is a reflected XSS that occurs in the news comment functionality when authenticated users interact with the comment form. An attacker can inject…

  • CVE-2025-61505Oct 10, 2025
    risk 0.00cvss epss 0.00

    e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized…

  • CVE-2018-16389MedSep 12, 2018
    risk 0.00cvss 6.5epss 0.01

    e107_admin/banlist.php in e107 2.1.8 allows SQL injection via the old_ip parameter.

  • CVE-2018-16388HigSep 12, 2018
    risk 0.00cvss 7.2epss 0.02

    e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the image/jpeg content type.

  • CVE-2015-1041Jan 15, 2015
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in e107_admin/filemanager.php in e107 1.0.4 allows remote attackers to inject arbitrary web script or HTML via the e107_files/ file path in the QUERY_STRING.

  • CVE-2014-9459Jan 2, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin…

  • CVE-2014-4734Jul 21, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

  • CVE-2013-7305Jan 22, 2014
    risk 0.00cvss epss 0.01

    fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user.

  • CVE-2011-4947Aug 31, 2012
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in e107_admin/users_extended.php in e107 before 0.7.26 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the user_include parameter.

  • CVE-2011-4946Aug 31, 2012
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in e107_admin/users_extended.php in e107 before 0.7.26 allows remote attackers to execute arbitrary SQL commands via the user_field parameter.

  • CVE-2012-3843Jul 3, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the registration page in e107, probably 1.0.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2010-5084Feb 14, 2012
    risk 0.00cvss epss 0.01

    The cross-site request forgery (CSRF) protection mechanism in e107 before 0.7.23 uses a predictable random token based on the creation date of the administrator account, which allows remote attackers to hijack the authentication of administrators for requests that add new users…

  • CVE-2011-4921Jan 4, 2012
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in usersettings.php in e107 0.7.26, and possibly other versions before 1.0.0, allows remote attackers to execute arbitrary SQL commands via the username parameter.