Bloofoxcms
Products
2- 9 CVEs
- 3 CVEs
Recent CVEs
12| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2008-5748 | Hig | 0.56 | 8.1 | 0.09 | Dec 29, 2008 | Directory traversal vulnerability in plugins/spaw2/dialogs/dialog.php in BloofoxCMS 0.3.4 allows remote attackers to read arbitrary files via the (1) lang, (2) theme, and (3) module parameters. | |
| CVE-2021-47906 | Med | 0.42 | 6.4 | 0.00 | Jan 23, 2026 | BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies. | |
| CVE-2020-37241 | Med | 0.34 | 5.3 | — | May 16, 2026 | bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent. | |
| CVE-2008-0427 | 0.04 | — | 0.16 | Jan 23, 2008 | Directory traversal vulnerability in file.php in bloofoxCMS 0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. | ||
| CVE-2010-4870 | 0.03 | — | 0.02 | Oct 7, 2011 | SQL injection vulnerability in index.php in BloofoxCMS 0.3.5 allows remote attackers to execute arbitrary SQL commands via the gender parameter. | ||
| CVE-2009-4522 | 0.03 | — | 0.03 | Dec 31, 2009 | Cross-site scripting (XSS) vulnerability in search.5.html in BloofoxCMS 0.3.5 allows remote attackers to inject arbitrary web script or HTML via the search parameter to index.php. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-1313 | 0.03 | — | 0.01 | Mar 12, 2008 | Multiple SQL injection vulnerabilities in index.php in Bloo 1.00 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) post_id, (2) post_category_id, (3) post_year_month, and (4) static_page_id parameters; and unspecified other vectors. | ||
| CVE-2008-0428 | 0.03 | — | 0.01 | Jan 23, 2008 | Multiple SQL injection vulnerabilities in the login function in system/class_permissions.php in bloofoxCMS 0.3 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/index.php. | ||
| CVE-2007-2310 | 0.03 | — | 0.03 | Apr 26, 2007 | Cross-site scripting (XSS) vulnerability in plugins/spaw/img_popup.php in BloofoxCMS 0.2.2 allows remote attackers to inject arbitrary web script or HTML via the img_url parameter. | ||
| CVE-2007-2311 | 0.00 | — | 0.01 | Apr 26, 2007 | PHP remote file inclusion vulnerability in install/index.php in BlooFoxCMS 0.2.2 allows remote attackers to execute arbitrary PHP code via a URL in the content_php parameter. NOTE: this issue has been disputed by a reliable third party, stating that content_php is initialized before use | ||
| CVE-2006-6023 | 0.00 | — | 0.01 | Nov 21, 2006 | PHP remote file inclusion vulnerability in phoo.base.php in Bill Roberts Bloo 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the descriptorFileList parameter. NOTE: this issue is disputed by CVE since $descriptorFileList is used in a function definition within phoo.base.php | ||
| CVE-2006-6019 | 0.00 | — | 0.01 | Nov 21, 2006 | Cross-site scripting (XSS) vulnerability in extensions/googiespell/googlespell_proxy.php in Bill Roberts Bloo 1.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. |
- risk 0.56cvss 8.1epss 0.09
Directory traversal vulnerability in plugins/spaw2/dialogs/dialog.php in BloofoxCMS 0.3.4 allows remote attackers to read arbitrary files via the (1) lang, (2) theme, and (3) module parameters.
- risk 0.42cvss 6.4epss 0.00
BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies.
- risk 0.34cvss 5.3epss —
bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.
- CVE-2008-0427Jan 23, 2008risk 0.04cvss —epss 0.16
Directory traversal vulnerability in file.php in bloofoxCMS 0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
- CVE-2010-4870Oct 7, 2011risk 0.03cvss —epss 0.02
SQL injection vulnerability in index.php in BloofoxCMS 0.3.5 allows remote attackers to execute arbitrary SQL commands via the gender parameter.
- CVE-2009-4522Dec 31, 2009risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in search.5.html in BloofoxCMS 0.3.5 allows remote attackers to inject arbitrary web script or HTML via the search parameter to index.php. NOTE: some of these details are obtained from third party information.
- CVE-2008-1313Mar 12, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in index.php in Bloo 1.00 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) post_id, (2) post_category_id, (3) post_year_month, and (4) static_page_id parameters; and unspecified other vectors.
- CVE-2008-0428Jan 23, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in the login function in system/class_permissions.php in bloofoxCMS 0.3 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/index.php.
- CVE-2007-2310Apr 26, 2007risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in plugins/spaw/img_popup.php in BloofoxCMS 0.2.2 allows remote attackers to inject arbitrary web script or HTML via the img_url parameter.
- CVE-2007-2311Apr 26, 2007risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in install/index.php in BlooFoxCMS 0.2.2 allows remote attackers to execute arbitrary PHP code via a URL in the content_php parameter. NOTE: this issue has been disputed by a reliable third party, stating that content_php is initialized before use
- CVE-2006-6023Nov 21, 2006risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in phoo.base.php in Bill Roberts Bloo 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the descriptorFileList parameter. NOTE: this issue is disputed by CVE since $descriptorFileList is used in a function definition within phoo.base.php
- CVE-2006-6019Nov 21, 2006risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in extensions/googiespell/googlespell_proxy.php in Bill Roberts Bloo 1.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.