VYPR
Vendor

Blogphp

Products
1
CVEs
16
Across products
16
Status
Private

Products

1

Recent CVEs

16
  • CVE-2018-8893HigMar 31, 2018
    risk 0.57cvss 8.8epss 0.00

    Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.

  • CVE-2018-11209HigMay 16, 2018
    risk 0.47cvss 7.2epss 0.01

    An issue was discovered in Z-BlogPHP 2.0.0. zb_system/cmd.php?act=verify relies on MD5 for the password parameter, which might make it easier for attackers to bypass intended access restrictions via a dictionary or rainbow-table attack. NOTE: the vendor declined to accept this…

  • CVE-2018-9153HigApr 16, 2018
    risk 0.47cvss 7.2epss 0.01

    The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component…

  • CVE-2018-9169MedApr 16, 2018
    risk 0.31cvss 4.8epss 0.01

    Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF.

  • CVE-2008-6745Apr 23, 2009
    risk 0.03cvss epss 0.06

    index.php in BlogPHP 2.0 allows remote attackers to gain administrator privileges via a crafted email parameter in a register2 action.

  • CVE-2008-6631Apr 7, 2009
    risk 0.03cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in index.php in BlogPHP 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) user parameter in a sendmessage action and the (2) username parameter when registering a new user, different vectors than…

  • CVE-2008-0679Feb 12, 2008
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in index.php in BlogPHP 2.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter.

  • CVE-2008-0678Feb 12, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a page action.

  • CVE-2006-0318Jan 19, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action.

  • CVE-2024-39203Jul 8, 2024
    risk 0.01cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the Backend Theme Management module of Z-BlogPHP v1.7.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-55529Jan 6, 2025
    risk 0.00cvss epss 0.01

    Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \zb_users\theme\shell\template.

  • CVE-2020-29177Dec 2, 2021
    risk 0.00cvss epss 0.01

    Z-BlogPHP v1.6.1.2100 was discovered to contain an arbitrary file deletion vulnerability via \app_del.php.

  • CVE-2020-29176Dec 2, 2021
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file.

  • CVE-2018-19463Nov 22, 2018
    risk 0.00cvss epss 0.02

    zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOTE: The vendor's position is "We have no dynamic including.…

  • CVE-2018-18381Oct 16, 2018
    risk 0.00cvss epss 0.01

    Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.

  • CVE-2008-2524Jun 3, 2008
    risk 0.00cvss epss 0.01

    BlogPHP 2.0 allows remote attackers to bypass authentication, and post (1) messages or (2) comments as an arbitrary user, via a modified blogphp_username field in a cookie.