Blogphp
Products
1- 16 CVEs
Recent CVEs
16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-8893 | Hig | 0.57 | 8.8 | 0.00 | Mar 31, 2018 | Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code. | ||
| CVE-2018-11209 | Hig | 0.47 | 7.2 | 0.01 | May 16, 2018 | An issue was discovered in Z-BlogPHP 2.0.0. zb_system/cmd.php?act=verify relies on MD5 for the password parameter, which might make it easier for attackers to bypass intended access restrictions via a dictionary or rainbow-table attack. NOTE: the vendor declined to accept this… | ||
| CVE-2018-9153 | Hig | 0.47 | 7.2 | 0.01 | Apr 16, 2018 | The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component… | ||
| CVE-2018-9169 | Med | 0.31 | 4.8 | 0.01 | Apr 16, 2018 | Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF. | ||
| CVE-2008-6745 | 0.03 | — | 0.06 | Apr 23, 2009 | index.php in BlogPHP 2.0 allows remote attackers to gain administrator privileges via a crafted email parameter in a register2 action. | |||
| CVE-2008-6631 | 0.03 | — | 0.02 | Apr 7, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in BlogPHP 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) user parameter in a sendmessage action and the (2) username parameter when registering a new user, different vectors than… | |||
| CVE-2008-0679 | 0.03 | — | 0.02 | Feb 12, 2008 | Cross-site scripting (XSS) vulnerability in index.php in BlogPHP 2.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. | |||
| CVE-2008-0678 | 0.03 | — | 0.01 | Feb 12, 2008 | SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a page action. | |||
| CVE-2006-0318 | 0.03 | — | 0.01 | Jan 19, 2006 | SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action. | |||
| CVE-2024-39203 | 0.01 | — | 0.01 | Jul 8, 2024 | A cross-site scripting (XSS) vulnerability in the Backend Theme Management module of Z-BlogPHP v1.7.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-55529 | 0.00 | — | 0.01 | Jan 6, 2025 | Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \zb_users\theme\shell\template. | |||
| CVE-2020-29177 | 0.00 | — | 0.01 | Dec 2, 2021 | Z-BlogPHP v1.6.1.2100 was discovered to contain an arbitrary file deletion vulnerability via \app_del.php. | |||
| CVE-2020-29176 | 0.00 | — | 0.01 | Dec 2, 2021 | An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file. | |||
| CVE-2018-19463 | 0.00 | — | 0.02 | Nov 22, 2018 | zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOTE: The vendor's position is "We have no dynamic including.… | |||
| CVE-2018-18381 | 0.00 | — | 0.01 | Oct 16, 2018 | Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments. | |||
| CVE-2008-2524 | 0.00 | — | 0.01 | Jun 3, 2008 | BlogPHP 2.0 allows remote attackers to bypass authentication, and post (1) messages or (2) comments as an arbitrary user, via a modified blogphp_username field in a cookie. |
- risk 0.57cvss 8.8epss 0.00
Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ability to execute arbitrary PHP code.
- risk 0.47cvss 7.2epss 0.01
An issue was discovered in Z-BlogPHP 2.0.0. zb_system/cmd.php?act=verify relies on MD5 for the password parameter, which might make it easier for attackers to bypass intended access restrictions via a dictionary or rainbow-table attack. NOTE: the vendor declined to accept this…
- risk 0.47cvss 7.2epss 0.01
The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component…
- risk 0.31cvss 4.8epss 0.01
Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF.
- CVE-2008-6745Apr 23, 2009risk 0.03cvss —epss 0.06
index.php in BlogPHP 2.0 allows remote attackers to gain administrator privileges via a crafted email parameter in a register2 action.
- CVE-2008-6631Apr 7, 2009risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in index.php in BlogPHP 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) user parameter in a sendmessage action and the (2) username parameter when registering a new user, different vectors than…
- CVE-2008-0679Feb 12, 2008risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in BlogPHP 2.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
- CVE-2008-0678Feb 12, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a page action.
- CVE-2006-0318Jan 19, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in BlogPHP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands and bypass authentication via the username parameter in a login action.
- CVE-2024-39203Jul 8, 2024risk 0.01cvss —epss 0.01
A cross-site scripting (XSS) vulnerability in the Backend Theme Management module of Z-BlogPHP v1.7.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-55529Jan 6, 2025risk 0.00cvss —epss 0.01
Z-BlogPHP 1.7.3 is vulnerable to arbitrary code execution via \zb_users\theme\shell\template.
- CVE-2020-29177Dec 2, 2021risk 0.00cvss —epss 0.01
Z-BlogPHP v1.6.1.2100 was discovered to contain an arbitrary file deletion vulnerability via \app_del.php.
- CVE-2020-29176Dec 2, 2021risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in Z-BlogPHP v1.6.1.2100 allows attackers to execute arbitrary code via a crafted JPG file.
- CVE-2018-19463Nov 22, 2018risk 0.00cvss —epss 0.02
zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOTE: The vendor's position is "We have no dynamic including.…
- CVE-2018-18381Oct 16, 2018risk 0.00cvss —epss 0.01
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
- CVE-2008-2524Jun 3, 2008risk 0.00cvss —epss 0.01
BlogPHP 2.0 allows remote attackers to bypass authentication, and post (1) messages or (2) comments as an arbitrary user, via a modified blogphp_username field in a cookie.