VYPR
Vendor

PHP-Nuke

PHP-Nuke is a web-based automated news publishing and content management system based on PHP and MySQL originally written by Francisco Burzi. The system is controlled using a web-based user interface. PHP-Nuke was originally a fork of the Thatware news portal system by David Norman.

Products
71
CVEs
173
Across products
173
Status
Private

Products

71
View all 71 products →

Recent CVEs

173
View all 173 CVEs →
  • CVE-2008-2020HigApr 30, 2008
    risk 0.49cvss 7.5epss 0.02

    The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and…

  • CVE-2007-1061Feb 22, 2007
    risk 0.08cvss epss 0.61

    SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8.0 Final and earlier, when the "HTTP Referers" block is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header (HTTP_REFERER variable).

  • CVE-2005-3792Nov 24, 2005
    risk 0.07cvss epss 0.44

    Multiple SQL injection vulnerabilities in the Search module in PHP-Nuke 7.8, and possibly other versions before 7.9 with patch 3.1, allows remote attackers to execute arbitrary SQL commands, as demonstrated via the query parameter in a stories type.

  • CVE-2006-0163Jan 11, 2006
    risk 0.04cvss epss 0.07

    SQL injection vulnerability in the search module (modules/Search/index.php) of PHPNuke EV 7.7 -R1 allows remote attackers to execute arbitrary SQL commands via the query parameter, which is used by the search field. NOTE: This is a different vulnerability than CVE-2005-3792.

  • CVE-2004-0269Nov 23, 2004
    risk 0.04cvss epss 0.08

    SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module.

  • CVE-2004-2044Jun 1, 2004
    risk 0.04cvss epss 0.11

    PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP function with $_SERVER['PHP_SELF'] to identify the calling script, which allows remote attackers to…

  • CVE-2004-1988Apr 30, 2004
    risk 0.04cvss epss 0.09

    PHP remote file inclusion vulnerability in init.inc.php in Coppermine Photo Gallery 1.2.0 RC4 allows remote attackers to execute arbitrary PHP code by modifying the CPG_M_DIR to reference a URL on a remote web server that contains functions.inc.php.

  • CVE-2004-1989Apr 30, 2004
    risk 0.04cvss epss 0.09

    PHP remote file inclusion vulnerability in theme.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to execute arbitrary PHP code by modifying the THEME_DIR parameter to reference a URL on a remote web server that contains user_list_info_box.inc.

  • CVE-2004-1929Apr 13, 2004
    risk 0.04cvss epss 0.07

    SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter.

  • CVE-2004-1986Apr 4, 2004
    risk 0.04cvss epss 0.11

    Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter.

  • CVE-2002-0483Aug 12, 2002
    risk 0.04cvss epss 0.08

    index.php for PHP-Nuke 5.4 and earlier allows remote attackers to determine the physical pathname of the web server when the file parameter is set to index.php, which triggers an error message that leaks the pathname.

  • CVE-2002-0206May 16, 2002
    risk 0.04cvss epss 0.07

    index.php in Francisco Burzi PHP-Nuke 5.3.1 and earlier, and possibly other versions before 5.5, allows remote attackers to execute arbitrary PHP code by specifying a URL to the malicious code in the file parameter.

  • CVE-2001-0900Nov 18, 2001
    risk 0.04cvss epss 0.08

    Directory traversal vulnerability in modules.php in Gallery before 1.2.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the include parameter.

  • CVE-2001-0383Jun 18, 2001
    risk 0.04cvss epss 0.06

    banners.php in PHP-Nuke 4.4 and earlier allows remote attackers to modify banner ad URLs by directly calling the Change operation, which does not require authentication.

  • CVE-2000-0745Oct 20, 2000
    risk 0.04cvss epss 0.12

    admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter.

  • CVE-2014-3934Jun 2, 2014
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in the Submit_News module for PHP-Nuke 8.3 allows remote attackers to execute arbitrary SQL commands via the topics[] parameter to modules.php.

  • CVE-2010-5083Feb 14, 2012
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Web_Links module for PHP-Nuke 8.0 allows remote attackers to execute arbitrary SQL commands via the url parameter in an Add action to modules.php.

  • CVE-2008-7226Sep 14, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in the Recipes module 1.3, 1.4, and possibly other versions for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the recipeid parameter.

  • CVE-2008-7038Aug 24, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the My_eGallery module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the gid parameter in a showgall action to modules.php. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.

  • CVE-2008-6779May 1, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the Sarkilar module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a showcontent action to modules.php.