E107
Products
1- 89 CVEs
Recent CVEs
89| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-47937 | Hig | 0.57 | 8.8 | 0.01 | May 10, 2026 | e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that… | ||
| CVE-2018-15901 | Hig | 0.57 | 8.8 | 0.01 | Aug 28, 2018 | e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators. | ||
| CVE-2008-2020 | Hig | 0.49 | 7.5 | 0.02 | Apr 30, 2008 | The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and… | ||
| CVE-2016-10378 | Hig | 0.47 | 7.2 | 0.01 | May 29, 2017 | e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function. | ||
| CVE-2026-43935 | Hig | 0.46 | 8.1 | 0.00 | May 26, 2026 | e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks,… | ||
| CVE-2026-46620 | Med | 0.42 | 6.5 | 0.00 | May 26, 2026 | e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing… | ||
| CVE-2018-11127 | Med | 0.42 | 6.5 | 0.01 | May 15, 2018 | e107 2.1.7 has CSRF resulting in arbitrary user deletion. | ||
| CVE-2017-8098 | Med | 0.42 | 6.5 | 0.01 | Apr 24, 2017 | e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker. | ||
| CVE-2018-16381 | Med | 0.40 | 6.1 | 0.01 | Sep 5, 2018 | e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter. | ||
| CVE-2026-43934 | Med | 0.35 | 6.5 | 0.00 | May 26, 2026 | e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the… | ||
| CVE-2025-11941 | Med | 0.35 | 5.4 | 0.01 | Oct 19, 2025 | A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to… | ||
| CVE-2018-17081 | Med | 0.28 | 4.3 | 0.01 | Sep 26, 2018 | e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page. | ||
| CVE-2026-43936 | Med | 0.21 | 4.3 | 0.00 | May 26, 2026 | e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4. | ||
| CVE-2004-2262 | 0.04 | — | 0.15 | Dec 31, 2004 | ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php. | |||
| CVE-2003-1191 | 0.04 | — | 0.08 | Oct 29, 2003 | chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded. | |||
| CVE-2021-27885 | 0.03 | — | 0.03 | Mar 2, 2021 | usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism. | |||
| CVE-2015-1057 | 0.03 | — | 0.03 | Jan 16, 2015 | Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value. | |||
| CVE-2013-2750 | 0.03 | — | 0.03 | Jan 22, 2014 | Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string. | |||
| CVE-2012-6434 | 0.03 | — | 0.01 | Jan 3, 2013 | Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3)… | |||
| CVE-2012-6433 | 0.03 | — | 0.02 | Jan 3, 2013 | Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action. |
- risk 0.57cvss 8.8epss 0.01
e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that…
- risk 0.57cvss 8.8epss 0.01
e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.
- risk 0.49cvss 7.5epss 0.02
The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and…
- risk 0.47cvss 7.2epss 0.01
e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function.
- risk 0.46cvss 8.1epss 0.00
e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks,…
- risk 0.42cvss 6.5epss 0.00
e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing…
- risk 0.42cvss 6.5epss 0.01
e107 2.1.7 has CSRF resulting in arbitrary user deletion.
- risk 0.42cvss 6.5epss 0.01
e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.
- risk 0.40cvss 6.1epss 0.01
e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter.
- risk 0.35cvss 6.5epss 0.00
e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the…
- risk 0.35cvss 5.4epss 0.01
A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to…
- risk 0.28cvss 4.3epss 0.01
e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.
- risk 0.21cvss 4.3epss 0.00
e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4.
- CVE-2004-2262Dec 31, 2004risk 0.04cvss —epss 0.15
ImageManager in e107 before 0.617 does not properly check the types of uploaded files, which allows remote attackers to execute arbitrary code by uploading a PHP file via the upload parameter to images.php.
- CVE-2003-1191Oct 29, 2003risk 0.04cvss —epss 0.08
chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded.
- CVE-2021-27885Mar 2, 2021risk 0.03cvss —epss 0.03
usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.
- CVE-2015-1057Jan 16, 2015risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value.
- CVE-2013-2750Jan 22, 2014risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string.
- CVE-2012-6434Jan 3, 2013risk 0.03cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3)…
- CVE-2012-6433Jan 3, 2013risk 0.03cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action.