Photopost PHP Pro

CVEs (16)

CVE	Risk	CVSS	EPSS	Published	Description
CVE-2004-1871	0.04	—	0.12	Mar 29, 2004	Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ppuser, (2) password, (3) stype, (4) perpage, (5) sort, (6) page, (7) si, or (8) cat parameters to showmembers.php, or the (9) photo name, (10) photo description, (11) album name, or (12) album description fields.
CVE-2006-4828	0.03	—	0.02	Sep 15, 2006	PHP remote file inclusion vulnerability in zipndownload.php in PhotoPost 4.0 through 4.6 allows remote attackers to execute arbitrary PHP code via a URL in the PP_PATH parameter.
CVE-2005-1629	0.03	—	0.00	May 17, 2005	SQL injection vulnerability in member.php for Photopost PHP Pro allows remote attackers to execute arbitrary SQL commands via the verifykey parameter.
CVE-2005-0273	0.03	—	0.01	May 2, 2005	Multiple SQL injection vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) ppuser parameter.
CVE-2005-0928	0.03	—	0.04	May 2, 2005	Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 5.x allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) password, (3) ppuser, (4) sort, or (5) si parameters to showgallery.php, the (6) ppuser, (7) sort, or (8) si parameters to showmembers.php, or (9) the photo parameter to slideshow.php.
CVE-2005-0776	0.03	—	0.06	May 2, 2005	adm-photo.php in PhotoPost PHP 5.0 RC3 does not properly verify administrative privileges before manipulating photos, which could allow remote attackers to manipulate other users' photos.
CVE-2005-0274	0.03	—	0.06	Jan 3, 2005	Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) si, (3) page, or (4) ppuser parameters.
CVE-2004-0239	0.03	—	0.00	Nov 23, 2004	SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain unauthorized access via the photo variable.
CVE-2004-1870	0.03	—	0.01	Mar 29, 2004	Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to gain users' passwords via the (1) photo parameter to addfav.php, (2) photo parameter to comments.php, (3) credit parameter to comments.php, (4) cat parameter to index.php, (5) ppuser parameter to showgallery.php, (6) cat parameter to showgallery.php, (7) cat parameter to uploadphoto.php, (8) albumid parameter to useralbums.php, or (9) albumid parameter to useralbums.php.
CVE-2006-4990	0.00	—	0.04	Sep 26, 2006	Multiple PHP remote file inclusion vulnerabilities in PhotoPost allow remote attackers to execute arbitrary PHP code via a URL in the PP_PATH parameter in (1) addfav.php, (2) adm-admlog.php, (3) adm-approve.php, (4) adm-backup.php, (5) adm-cats.php, (6) adm-cinc.php, (7) adm-db.php, (8) adm-editcfg.php, (9) adm-inc.php, (10) adm-index.php, (11) adm-modcom.php, (12) adm-move.php, (13) adm-options.php, (14) adm-order.php, (15) adm-pa.php, (16) adm-photo.php, (17) adm-purge.php, (18) adm-style.php, (19) adm-templ.php, (20) adm-userg.php, (21) adm-users.php, (22) bulkupload.php, (23) cookies.php, (24) comments.php, (25) ecard.php, (26) editphoto.php, (27) register.php, (28) showgallery.php, (29) showmembers.php, (30) useralbums.php, (31) uploadphoto.php, (32) search.php, or (33) adm-menu.php, different vectors than CVE-2006-4828.
CVE-2005-2737	0.00	—	0.01	Aug 30, 2005	Cross-site scripting (XSS) vulnerability in PhotoPost PHP Pro 5.1 allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.
CVE-2005-0775	0.00	—	0.01	May 2, 2005	The reportpost action in misc.php for PhotoPost PHP 5.0 RC3 does not limit the logging data that is sent to the administrator, which allows remote attackers to send large amounts of email to the administrator.
CVE-2005-0777	0.00	—	0.00	May 2, 2005	Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP 5.0 RC3 allow remote attackers to inject arbitrary web script or HTML via (1) the check_tags function or (2) the editbio field in the user profile.
CVE-2005-0778	0.00	—	0.00	May 2, 2005	PhotoPost PHP 5.0 RC3 does not fully verify that an uploaded file is an image file, which allows remote attackers to inject arbitrary Javascript by uploading non-image files with an image extension such as .gif.
CVE-2005-0774	0.00	—	0.01	Mar 10, 2005	SQL injection vulnerability in member.php and possibly other scripts in PhotoPost PHP 5.0 RC3 allows remote attackers to execute arbitrary SQL commands via the uid parameter.
CVE-2004-0250	0.00	—	0.01	Nov 23, 2004	SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php.

CVE-2004-1871Mar 29, 2004
risk 0.04cvss —epss 0.12
Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ppuser, (2) password, (3) stype, (4) perpage, (5) sort, (6) page, (7) si, or (8) cat parameters to showmembers.php, or the (9) photo name, (10) photo description, (11) album name, or (12) album description fields.
CVE-2006-4828Sep 15, 2006
risk 0.03cvss —epss 0.02
PHP remote file inclusion vulnerability in zipndownload.php in PhotoPost 4.0 through 4.6 allows remote attackers to execute arbitrary PHP code via a URL in the PP_PATH parameter.
CVE-2005-1629May 17, 2005
risk 0.03cvss —epss 0.00
SQL injection vulnerability in member.php for Photopost PHP Pro allows remote attackers to execute arbitrary SQL commands via the verifykey parameter.
CVE-2005-0273May 2, 2005
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) ppuser parameter.
CVE-2005-0928May 2, 2005
risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 5.x allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) password, (3) ppuser, (4) sort, or (5) si parameters to showgallery.php, the (6) ppuser, (7) sort, or (8) si parameters to showmembers.php, or (9) the photo parameter to slideshow.php.
CVE-2005-0776May 2, 2005
risk 0.03cvss —epss 0.06
adm-photo.php in PhotoPost PHP 5.0 RC3 does not properly verify administrative privileges before manipulating photos, which could allow remote attackers to manipulate other users' photos.
CVE-2005-0274Jan 3, 2005
risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) si, (3) page, or (4) ppuser parameters.
CVE-2004-0239Nov 23, 2004
risk 0.03cvss —epss 0.00
SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain unauthorized access via the photo variable.
CVE-2004-1870Mar 29, 2004
risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to gain users' passwords via the (1) photo parameter to addfav.php, (2) photo parameter to comments.php, (3) credit parameter to comments.php, (4) cat parameter to index.php, (5) ppuser parameter to showgallery.php, (6) cat parameter to showgallery.php, (7) cat parameter to uploadphoto.php, (8) albumid parameter to useralbums.php, or (9) albumid parameter to useralbums.php.
CVE-2006-4990Sep 26, 2006
risk 0.00cvss —epss 0.04
Multiple PHP remote file inclusion vulnerabilities in PhotoPost allow remote attackers to execute arbitrary PHP code via a URL in the PP_PATH parameter in (1) addfav.php, (2) adm-admlog.php, (3) adm-approve.php, (4) adm-backup.php, (5) adm-cats.php, (6) adm-cinc.php, (7) adm-db.php, (8) adm-editcfg.php, (9) adm-inc.php, (10) adm-index.php, (11) adm-modcom.php, (12) adm-move.php, (13) adm-options.php, (14) adm-order.php, (15) adm-pa.php, (16) adm-photo.php, (17) adm-purge.php, (18) adm-style.php, (19) adm-templ.php, (20) adm-userg.php, (21) adm-users.php, (22) bulkupload.php, (23) cookies.php, (24) comments.php, (25) ecard.php, (26) editphoto.php, (27) register.php, (28) showgallery.php, (29) showmembers.php, (30) useralbums.php, (31) uploadphoto.php, (32) search.php, or (33) adm-menu.php, different vectors than CVE-2006-4828.
CVE-2005-2737Aug 30, 2005
risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in PhotoPost PHP Pro 5.1 allows remote attackers to inject arbitrary web script or HTML via EXIF data, such as the Camera Model Tag.
CVE-2005-0775May 2, 2005
risk 0.00cvss —epss 0.01
The reportpost action in misc.php for PhotoPost PHP 5.0 RC3 does not limit the logging data that is sent to the administrator, which allows remote attackers to send large amounts of email to the administrator.
CVE-2005-0777May 2, 2005
risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP 5.0 RC3 allow remote attackers to inject arbitrary web script or HTML via (1) the check_tags function or (2) the editbio field in the user profile.
CVE-2005-0778May 2, 2005
risk 0.00cvss —epss 0.00
PhotoPost PHP 5.0 RC3 does not fully verify that an uploaded file is an image file, which allows remote attackers to inject arbitrary Javascript by uploading non-image files with an image extension such as .gif.
CVE-2005-0774Mar 10, 2005
risk 0.00cvss —epss 0.01
SQL injection vulnerability in member.php and possibly other scripts in PhotoPost PHP 5.0 RC3 allows remote attackers to execute arbitrary SQL commands via the uid parameter.
CVE-2004-0250Nov 23, 2004
risk 0.00cvss —epss 0.01
SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php.