Vendor CVEs
Bloofoxcms
All CVEs
32 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-5748 | Hig | 0.56 | 8.1 | 0.10 | Dec 29, 2008 | Directory traversal vulnerability in plugins/spaw2/dialogs/dialog.php in BloofoxCMS 0.3.4 allows remote attackers to read arbitrary files via the (1) lang, (2) theme, and (3) module parameters. | ||
| CVE-2021-47906 | Med | 0.42 | 6.4 | 0.00 | Jan 23, 2026 | BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal… | ||
| CVE-2023-34755 | 0.03 | — | 0.04 | Jun 14, 2023 | bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the userid parameter at admin/index.php?mode=user&action=edit. | |||
| CVE-2023-34753 | 0.03 | — | 0.04 | Jun 14, 2023 | bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit. | |||
| CVE-2023-34756 | 0.03 | — | 0.04 | Jun 14, 2023 | bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit. | |||
| CVE-2023-34751 | 0.03 | — | 0.04 | Jun 14, 2023 | bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the gid parameter at admin/index.php?mode=user&page=groups&action=edit. | |||
| CVE-2010-4870 | 0.03 | — | 0.01 | Oct 7, 2011 | SQL injection vulnerability in index.php in BloofoxCMS 0.3.5 allows remote attackers to execute arbitrary SQL commands via the gender parameter. | |||
| CVE-2009-4522 | 0.03 | — | 0.02 | Dec 31, 2009 | Cross-site scripting (XSS) vulnerability in search.5.html in BloofoxCMS 0.3.5 allows remote attackers to inject arbitrary web script or HTML via the search parameter to index.php. NOTE: some of these details are obtained from third party information. | |||
| CVE-2008-1313 | 0.03 | — | 0.01 | Mar 12, 2008 | Multiple SQL injection vulnerabilities in index.php in Bloo 1.00 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) post_id, (2) post_category_id, (3) post_year_month, and (4) static_page_id parameters; and unspecified other vectors. | |||
| CVE-2008-0427 | 0.03 | — | 0.04 | Jan 23, 2008 | Directory traversal vulnerability in file.php in bloofoxCMS 0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. | |||
| CVE-2008-0428 | 0.03 | — | 0.02 | Jan 23, 2008 | Multiple SQL injection vulnerabilities in the login function in system/class_permissions.php in bloofoxCMS 0.3 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/index.php. | |||
| CVE-2007-2310 | 0.03 | — | 0.02 | Apr 26, 2007 | Cross-site scripting (XSS) vulnerability in plugins/spaw/img_popup.php in BloofoxCMS 0.2.2 allows remote attackers to inject arbitrary web script or HTML via the img_url parameter. | |||
| CVE-2023-34752 | 0.02 | — | 0.05 | Jun 14, 2023 | bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit. | |||
| CVE-2023-34754 | 0.01 | — | 0.03 | Jun 14, 2023 | bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit. | |||
| CVE-2020-36082 | 0.00 | — | 0.01 | Aug 11, 2023 | File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module. | |||
| CVE-2023-34750 | 0.00 | — | 0.01 | Jun 14, 2023 | bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=projects&action=edit. | |||
| CVE-2023-29597 | 0.00 | — | 0.01 | Apr 13, 2023 | bloofox v0.5.2 was discovered to contain a SQL injection vulnerability via the component /index.php?mode=content&page=pages&action=edit&eid=1. | |||
| CVE-2023-27812 | 0.00 | — | 0.01 | Apr 13, 2023 | bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function. | |||
| CVE-2023-23151 | 0.00 | — | 0.01 | Jan 25, 2023 | bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file deletion vulnerability via the component /include/inc_content_media.php. | |||
| CVE-2022-28528 | 0.00 | — | 0.01 | Apr 26, 2022 | bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?mode=content&page=media&action=edit. | |||
| CVE-2021-44610 | 0.00 | — | 0.01 | Feb 23, 2022 | Multiple SQL Injection vulnerabilities exist in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) URLs, (2) lang_id, (3) tmpl_id, (4) mod_rewrite (5) eta_doctype. (6) meta_charset, (7) default_group, and (8) page group parameters in the settings mode in admin/index.php. | |||
| CVE-2021-44608 | 0.00 | — | 0.00 | Feb 23, 2022 | Multiple Cross Site Scripting (XSS) vulnerabilities exists in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) file parameter and (2) type parameter in an edit action in index.php. | |||
| CVE-2020-35760 | 0.00 | — | 0.02 | Jun 16, 2021 | bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files (ex: php files). | |||
| CVE-2020-35761 | 0.00 | — | 0.01 | Jun 16, 2021 | bloofoxCMS 0.5.2.1 is infected with XSS that allows remote attackers to execute arbitrary JS/HTML Code. | |||
| CVE-2020-36139 | 0.00 | — | 0.01 | Jun 4, 2021 | BloofoxCMS 0.5.2.1 allows Reflected Cross-Site Scripting (XSS) vulnerability by inserting a XSS payload within the 'fileurl' parameter. | |||
| CVE-2020-36140 | 0.00 | — | 0.01 | Jun 4, 2021 | BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely). | |||
| CVE-2020-36141 | 0.00 | — | 0.01 | Jun 4, 2021 | BloofoxCMS 0.5.2.1 allows Unrestricted File Upload vulnerability via bypass MIME Type validation by inserting 'image/jpeg' within the 'Content-Type' header. | |||
| CVE-2020-36142 | 0.00 | — | 0.01 | Jun 4, 2021 | BloofoxCMS 0.5.2.1 allows Directory traversal vulnerability by inserting '../' payloads within the 'fileurl' parameter. | |||
| CVE-2020-35709 | 0.00 | — | 0.01 | Dec 25, 2020 | bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with "Content-Type: application/octet-stream") to ../media/images/ via the admin/index.php?mode=tools&page=upload URI, aka directory traversal. | |||
| CVE-2007-2311 | 0.00 | — | 0.01 | Apr 26, 2007 | PHP remote file inclusion vulnerability in install/index.php in BlooFoxCMS 0.2.2 allows remote attackers to execute arbitrary PHP code via a URL in the content_php parameter. NOTE: this issue has been disputed by a reliable third party, stating that content_php is initialized… | |||
| CVE-2006-6023 | 0.00 | — | 0.01 | Nov 21, 2006 | PHP remote file inclusion vulnerability in phoo.base.php in Bill Roberts Bloo 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the descriptorFileList parameter. NOTE: this issue is disputed by CVE since $descriptorFileList is used in a function definition… | |||
| CVE-2006-6019 | 0.00 | — | 0.01 | Nov 21, 2006 | Cross-site scripting (XSS) vulnerability in extensions/googiespell/googlespell_proxy.php in Bill Roberts Bloo 1.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. |
- risk 0.56cvss 8.1epss 0.10
Directory traversal vulnerability in plugins/spaw2/dialogs/dialog.php in BloofoxCMS 0.3.4 allows remote attackers to read arbitrary files via the (1) lang, (2) theme, and (3) module parameters.
- risk 0.42cvss 6.4epss 0.00
BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal…
- CVE-2023-34755Jun 14, 2023risk 0.03cvss —epss 0.04
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the userid parameter at admin/index.php?mode=user&action=edit.
- CVE-2023-34753Jun 14, 2023risk 0.03cvss —epss 0.04
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit.
- CVE-2023-34756Jun 14, 2023risk 0.03cvss —epss 0.04
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit.
- CVE-2023-34751Jun 14, 2023risk 0.03cvss —epss 0.04
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the gid parameter at admin/index.php?mode=user&page=groups&action=edit.
- CVE-2010-4870Oct 7, 2011risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in BloofoxCMS 0.3.5 allows remote attackers to execute arbitrary SQL commands via the gender parameter.
- CVE-2009-4522Dec 31, 2009risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in search.5.html in BloofoxCMS 0.3.5 allows remote attackers to inject arbitrary web script or HTML via the search parameter to index.php. NOTE: some of these details are obtained from third party information.
- CVE-2008-1313Mar 12, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in index.php in Bloo 1.00 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) post_id, (2) post_category_id, (3) post_year_month, and (4) static_page_id parameters; and unspecified other vectors.
- CVE-2008-0427Jan 23, 2008risk 0.03cvss —epss 0.04
Directory traversal vulnerability in file.php in bloofoxCMS 0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
- CVE-2008-0428Jan 23, 2008risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in the login function in system/class_permissions.php in bloofoxCMS 0.3 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/index.php.
- CVE-2007-2310Apr 26, 2007risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in plugins/spaw/img_popup.php in BloofoxCMS 0.2.2 allows remote attackers to inject arbitrary web script or HTML via the img_url parameter.
- CVE-2023-34752Jun 14, 2023risk 0.02cvss —epss 0.05
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit.
- CVE-2023-34754Jun 14, 2023risk 0.01cvss —epss 0.03
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit.
- CVE-2020-36082Aug 11, 2023risk 0.00cvss —epss 0.01
File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.
- CVE-2023-34750Jun 14, 2023risk 0.00cvss —epss 0.01
bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=projects&action=edit.
- CVE-2023-29597Apr 13, 2023risk 0.00cvss —epss 0.01
bloofox v0.5.2 was discovered to contain a SQL injection vulnerability via the component /index.php?mode=content&page=pages&action=edit&eid=1.
- CVE-2023-27812Apr 13, 2023risk 0.00cvss —epss 0.01
bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function.
- CVE-2023-23151Jan 25, 2023risk 0.00cvss —epss 0.01
bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file deletion vulnerability via the component /include/inc_content_media.php.
- CVE-2022-28528Apr 26, 2022risk 0.00cvss —epss 0.01
bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?mode=content&page=media&action=edit.
- CVE-2021-44610Feb 23, 2022risk 0.00cvss —epss 0.01
Multiple SQL Injection vulnerabilities exist in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) URLs, (2) lang_id, (3) tmpl_id, (4) mod_rewrite (5) eta_doctype. (6) meta_charset, (7) default_group, and (8) page group parameters in the settings mode in admin/index.php.
- CVE-2021-44608Feb 23, 2022risk 0.00cvss —epss 0.00
Multiple Cross Site Scripting (XSS) vulnerabilities exists in bloofoxCMS 0.5.2.1 - 0.5.1 via the (1) file parameter and (2) type parameter in an edit action in index.php.
- CVE-2020-35760Jun 16, 2021risk 0.00cvss —epss 0.02
bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files (ex: php files).
- CVE-2020-35761Jun 16, 2021risk 0.00cvss —epss 0.01
bloofoxCMS 0.5.2.1 is infected with XSS that allows remote attackers to execute arbitrary JS/HTML Code.
- CVE-2020-36139Jun 4, 2021risk 0.00cvss —epss 0.01
BloofoxCMS 0.5.2.1 allows Reflected Cross-Site Scripting (XSS) vulnerability by inserting a XSS payload within the 'fileurl' parameter.
- CVE-2020-36140Jun 4, 2021risk 0.00cvss —epss 0.01
BloofoxCMS 0.5.2.1 allows Cross-Site Request Forgery (CSRF) via 'mode=settings&page=editor', as demonstrated by use of 'mode=settings&page=editor' to change any file content (Locally/Remotely).
- CVE-2020-36141Jun 4, 2021risk 0.00cvss —epss 0.01
BloofoxCMS 0.5.2.1 allows Unrestricted File Upload vulnerability via bypass MIME Type validation by inserting 'image/jpeg' within the 'Content-Type' header.
- CVE-2020-36142Jun 4, 2021risk 0.00cvss —epss 0.01
BloofoxCMS 0.5.2.1 allows Directory traversal vulnerability by inserting '../' payloads within the 'fileurl' parameter.
- CVE-2020-35709Dec 25, 2020risk 0.00cvss —epss 0.01
bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files (with "Content-Type: application/octet-stream") to ../media/images/ via the admin/index.php?mode=tools&page=upload URI, aka directory traversal.
- CVE-2007-2311Apr 26, 2007risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in install/index.php in BlooFoxCMS 0.2.2 allows remote attackers to execute arbitrary PHP code via a URL in the content_php parameter. NOTE: this issue has been disputed by a reliable third party, stating that content_php is initialized…
- CVE-2006-6023Nov 21, 2006risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in phoo.base.php in Bill Roberts Bloo 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the descriptorFileList parameter. NOTE: this issue is disputed by CVE since $descriptorFileList is used in a function definition…
- CVE-2006-6019Nov 21, 2006risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in extensions/googiespell/googlespell_proxy.php in Bill Roberts Bloo 1.0 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.