Vendor CVEs
Runcms
All CVEs
35 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2007-6548 | 0.04 | — | 0.08 | Dec 28, 2007 | Multiple direct static code injection vulnerabilities in RunCMS before 1.6.1 allow remote authenticated administrators to inject arbitrary PHP code via the (1) header and (2) footer parameters to modules/system/admin.php in a meta-generator action, (3) the disclaimer parameter… | |||
| CVE-2007-2539 | 0.04 | — | 0.08 | May 9, 2007 | The show_files function in RunCms 1.5.2 and earlier allows remote attackers to obtain sensitive information (file existence and file metadata) via unspecified vectors. | |||
| CVE-2005-0828 | 0.04 | — | 0.09 | May 2, 2005 | highlight.php in (1) RUNCMS 1.1A, (2) CIAMOS 0.9.2 RC1, (3) e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allows remote attackers to read arbitrary PHP files by specifying the pathname in the file parameter, as demonstrated by reading database… | |||
| CVE-2009-3804 | 0.03 | — | 0.01 | Oct 27, 2009 | Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the pid parameter, which is not properly handled by the store function in modules/forum/class/class.forumposts.php, or (2)… | |||
| CVE-2008-7222 | 0.03 | — | 0.01 | Sep 14, 2009 | Cross-site scripting (XSS) vulnerability in system/admin.php in RunCMS 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the rank_title parameter in a RankForumAdd action. | |||
| CVE-2009-2591 | 0.03 | — | 0.01 | Jul 24, 2009 | SQL injection vulnerability in the MyAnnonces module for E-Xoopport 3.1 allows remote attackers to execute arbitrary SQL commands via the lid parameter in a viewannonces action to index.php. | |||
| CVE-2008-3354 | 0.03 | — | 0.03 | Jul 28, 2008 | Multiple PHP remote file inclusion vulnerabilities in the Newbb Plus (newbb_plus) module 0.93 in RunCMS 1.6.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) bbPath[path] parameter to votepolls.php and the (2) bbPath[root_theme] parameter to config.php,… | |||
| CVE-2008-2084 | 0.03 | — | 0.02 | May 5, 2008 | SQL injection vulnerability in topics.php in the MyArticles 0.6 beta-1 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the topic_id parameter in a listarticles action. | |||
| CVE-2008-1551 | 0.03 | — | 0.01 | Mar 31, 2008 | SQL injection vulnerability in viewcat.php in the Photo 3.02 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter. | |||
| CVE-2008-1462 | 0.03 | — | 0.01 | Mar 24, 2008 | SQL injection vulnerability in the sections (Section) module in RunCMS allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle action. | |||
| CVE-2008-0878 | 0.03 | — | 0.01 | Feb 21, 2008 | SQL injection vulnerability in index.php in the MyAnnonces 1.7 and earlier module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action. | |||
| CVE-2008-0224 | 0.03 | — | 0.02 | Jan 10, 2008 | SQL injection vulnerability in index.php in the Newbb_plus 0.92 and earlier module in RunCMS 1.6.1 allows remote attackers to execute arbitrary SQL commands via the Client-Ip parameter. | |||
| CVE-2007-6546 | 0.03 | — | 0.03 | Dec 28, 2007 | RunCMS before 1.6.1 uses a predictable session id, which makes it easier for remote attackers to hijack sessions via a modified id. | |||
| CVE-2007-6547 | 0.03 | — | 0.02 | Dec 28, 2007 | RunCMS before 1.6.1 does not require entry of the old password during a password change, which allows context-dependent attackers to change passwords upon obtaining temporary access to a session. | |||
| CVE-2007-6544 | 0.03 | — | 0.04 | Dec 28, 2007 | Multiple SQL injection vulnerabilities in RunCMS before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the lid parameter to (1) brokenfile.php, (2) visit.php, or (3) ratefile.php in modules/mydownloads/; or (4) ratelink.php, (5) modlink.php, or (6)… | |||
| CVE-2007-6545 | 0.03 | — | 0.04 | Dec 28, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in RunCMS before 1.6.1 allow remote attackers to inject arbitrary web script or HTML via (1) the subject parameter to modules/news/submit.php; (2) the PATH_INFO to modules/news/index.php, possibly related to the XoopsPageNav… | |||
| CVE-2007-2538 | 0.03 | — | 0.05 | May 9, 2007 | SQL injection vulnerability in class/debug/debug_show.php in RunCms 1.5.2 and earlier allows remote attackers to execute arbitrary SQL commands via the executed_queries array parameter. | |||
| CVE-2006-1793 | 0.03 | — | 0.04 | Apr 17, 2006 | Directory traversal vulnerability in runCMS 1.2 and earlier allows remote attackers to read arbitrary files via the bbPath[path] parameter to (1) class.forumposts.php and (2) forumpollrenderer.php. NOTE: this issue is closely related to CVE-2006-0659. | |||
| CVE-2006-1216 | 0.03 | — | 0.02 | Mar 14, 2006 | Cross-site scripting (XSS) vulnerability in bigshow.php in Runcms 1.x allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||
| CVE-2006-0875 | 0.03 | — | 0.03 | Feb 24, 2006 | Cross-site scripting vulnerability in ratefile.php in RunCMS 1.3a5 allows remote attackers to inject arbitrary web script or HTML via the lid parameter. | |||
| CVE-2006-0721 | 0.03 | — | 0.02 | Feb 16, 2006 | SQL injection vulnerability in pmlite.php in RunCMS 1.2 and 1.3a allows remote attackers to execute arbitrary SQL commands via the to_userid parameter. | |||
| CVE-2006-0659 | 0.03 | — | 0.04 | Feb 13, 2006 | Multiple PHP remote file include vulnerabilities in RunCMS 1.2 and earlier, with register_globals and allow_url_fopen enabled, allow remote attackers to execute arbitrary code via the bbPath[path] parameter in (1) class.forumposts.php and (2) forumpollrenderer.php. | |||
| CVE-2010-2852 | 0.00 | — | 0.01 | Jul 25, 2010 | Cross-site scripting (XSS) vulnerability in modules/headlines/magpierss/scripts/magpie_debug.php in RunCms 2.1, when the Headlines module is enabled, allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||
| CVE-2009-3815 | 0.00 | — | 0.01 | Oct 27, 2009 | RunCMS 2M1, when running with certain error_reporting levels, allows remote attackers to obtain sensitive information via (1) the op[] parameter to modules/contact/index.php or (2) uid[] parameter to userinfo.php, which leaks the installation path in an error message when these… | |||
| CVE-2009-3814 | 0.00 | — | 0.01 | Oct 27, 2009 | Static code injection vulnerability in RunCMS 2M1 allows remote authenticated administrators to execute arbitrary PHP code via the "Filter/Banning" feature, as demonstrated by modifying modules/system/cache/bademails.php using the "Prohibited: Emails" action, and other… | |||
| CVE-2009-3813 | 0.00 | — | 0.01 | Oct 27, 2009 | Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the (1) forum parameter to modules/forum/post.php and possibly (2) forum_id variable to modules/forum/class/class.permissions.php. | |||
| CVE-2008-7221 | 0.00 | — | 0.01 | Sep 14, 2009 | Cross-site request forgery (CSRF) vulnerability in RunCMS 1.6.1 allows remote attackers to hijack the authentication of administrators for requests that (1) add new administrators or (2) modify user profiles via a crafted request to system/admin.php. | |||
| CVE-2007-6549 | 0.00 | — | 0.01 | Dec 28, 2007 | Unspecified vulnerability in RunCMS before 1.6.1 has unknown impact and attack vectors, related to "pagetype using." | |||
| CVE-2007-5535 | 0.00 | — | 0.02 | Oct 18, 2007 | Unspecified vulnerability in newbb_plus in RunCms 1.5.2 has unknown impact and attack vectors. | |||
| CVE-2006-6452 | 0.00 | — | 0.01 | Dec 10, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in the MyArticles module before 0.6 beta 1, for RunCMS, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) topics.php, (2) submit.php, and (3) class/calendar.class.php. | |||
| CVE-2006-4667 | 0.00 | — | 0.02 | Sep 9, 2006 | Multiple SQL injection vulnerabilities in RunCMS 1.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) uid parameter in (a) class/sessions.class.php, and the (2) timezone_offset and (3) umode parameters in (b) class/xoopsuser.php. | |||
| CVE-2005-2691 | 0.00 | — | 0.02 | Aug 24, 2005 | includes/common.php in RunCMS 1.2 and earlier calls the extract function with EXTR_OVERWRITE on HTTP POST variables, which allows remote attackers to overwrite arbitrary variables, possibly allowing execution of arbitrary code. | |||
| CVE-2005-2692 | 0.00 | — | 0.01 | Aug 24, 2005 | Multiple SQL injection vulnerabilities in RunCMS 1.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) addquery and (2) subquery parameters to the newbb plus module, the forum parameter to (3) newtopic.php, (4) edit.php, or (5) reply.php in the… | |||
| CVE-2005-0827 | 0.00 | — | 0.01 | May 2, 2005 | Viewcat.php in (1) RUNCMS 1.1A, (2) Ciamos 0.9.2 RC1, e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allow remote attackers to obtain sensitive information via an invalid parameter to the convertorderbytrans function, which reveals the path in a PHP… | |||
| CVE-2005-1031 | 0.00 | — | 0.01 | May 2, 2005 | RUNCMS 1.1A, and possibly other products based on e-Xoops (exoops), when "Allow custom avatar upload" is enabled, does not properly verify uploaded files, which allows remote attackers to upload arbitrary files. |
- CVE-2007-6548Dec 28, 2007risk 0.04cvss —epss 0.08
Multiple direct static code injection vulnerabilities in RunCMS before 1.6.1 allow remote authenticated administrators to inject arbitrary PHP code via the (1) header and (2) footer parameters to modules/system/admin.php in a meta-generator action, (3) the disclaimer parameter…
- CVE-2007-2539May 9, 2007risk 0.04cvss —epss 0.08
The show_files function in RunCms 1.5.2 and earlier allows remote attackers to obtain sensitive information (file existence and file metadata) via unspecified vectors.
- CVE-2005-0828May 2, 2005risk 0.04cvss —epss 0.09
highlight.php in (1) RUNCMS 1.1A, (2) CIAMOS 0.9.2 RC1, (3) e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allows remote attackers to read arbitrary PHP files by specifying the pathname in the file parameter, as demonstrated by reading database…
- CVE-2009-3804Oct 27, 2009risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in modules/forum/post.php in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via (1) the pid parameter, which is not properly handled by the store function in modules/forum/class/class.forumposts.php, or (2)…
- CVE-2008-7222Sep 14, 2009risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in system/admin.php in RunCMS 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the rank_title parameter in a RankForumAdd action.
- CVE-2009-2591Jul 24, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in the MyAnnonces module for E-Xoopport 3.1 allows remote attackers to execute arbitrary SQL commands via the lid parameter in a viewannonces action to index.php.
- CVE-2008-3354Jul 28, 2008risk 0.03cvss —epss 0.03
Multiple PHP remote file inclusion vulnerabilities in the Newbb Plus (newbb_plus) module 0.93 in RunCMS 1.6.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) bbPath[path] parameter to votepolls.php and the (2) bbPath[root_theme] parameter to config.php,…
- CVE-2008-2084May 5, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in topics.php in the MyArticles 0.6 beta-1 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the topic_id parameter in a listarticles action.
- CVE-2008-1551Mar 31, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in viewcat.php in the Photo 3.02 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter.
- CVE-2008-1462Mar 24, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in the sections (Section) module in RunCMS allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle action.
- CVE-2008-0878Feb 21, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in the MyAnnonces 1.7 and earlier module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action.
- CVE-2008-0224Jan 10, 2008risk 0.03cvss —epss 0.02
SQL injection vulnerability in index.php in the Newbb_plus 0.92 and earlier module in RunCMS 1.6.1 allows remote attackers to execute arbitrary SQL commands via the Client-Ip parameter.
- CVE-2007-6546Dec 28, 2007risk 0.03cvss —epss 0.03
RunCMS before 1.6.1 uses a predictable session id, which makes it easier for remote attackers to hijack sessions via a modified id.
- CVE-2007-6547Dec 28, 2007risk 0.03cvss —epss 0.02
RunCMS before 1.6.1 does not require entry of the old password during a password change, which allows context-dependent attackers to change passwords upon obtaining temporary access to a session.
- CVE-2007-6544Dec 28, 2007risk 0.03cvss —epss 0.04
Multiple SQL injection vulnerabilities in RunCMS before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the lid parameter to (1) brokenfile.php, (2) visit.php, or (3) ratefile.php in modules/mydownloads/; or (4) ratelink.php, (5) modlink.php, or (6)…
- CVE-2007-6545Dec 28, 2007risk 0.03cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in RunCMS before 1.6.1 allow remote attackers to inject arbitrary web script or HTML via (1) the subject parameter to modules/news/submit.php; (2) the PATH_INFO to modules/news/index.php, possibly related to the XoopsPageNav…
- CVE-2007-2538May 9, 2007risk 0.03cvss —epss 0.05
SQL injection vulnerability in class/debug/debug_show.php in RunCms 1.5.2 and earlier allows remote attackers to execute arbitrary SQL commands via the executed_queries array parameter.
- CVE-2006-1793Apr 17, 2006risk 0.03cvss —epss 0.04
Directory traversal vulnerability in runCMS 1.2 and earlier allows remote attackers to read arbitrary files via the bbPath[path] parameter to (1) class.forumposts.php and (2) forumpollrenderer.php. NOTE: this issue is closely related to CVE-2006-0659.
- CVE-2006-1216Mar 14, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in bigshow.php in Runcms 1.x allows remote attackers to inject arbitrary web script or HTML via the id parameter.
- CVE-2006-0875Feb 24, 2006risk 0.03cvss —epss 0.03
Cross-site scripting vulnerability in ratefile.php in RunCMS 1.3a5 allows remote attackers to inject arbitrary web script or HTML via the lid parameter.
- CVE-2006-0721Feb 16, 2006risk 0.03cvss —epss 0.02
SQL injection vulnerability in pmlite.php in RunCMS 1.2 and 1.3a allows remote attackers to execute arbitrary SQL commands via the to_userid parameter.
- CVE-2006-0659Feb 13, 2006risk 0.03cvss —epss 0.04
Multiple PHP remote file include vulnerabilities in RunCMS 1.2 and earlier, with register_globals and allow_url_fopen enabled, allow remote attackers to execute arbitrary code via the bbPath[path] parameter in (1) class.forumposts.php and (2) forumpollrenderer.php.
- CVE-2010-2852Jul 25, 2010risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in modules/headlines/magpierss/scripts/magpie_debug.php in RunCms 2.1, when the Headlines module is enabled, allows remote attackers to inject arbitrary web script or HTML via the url parameter.
- CVE-2009-3815Oct 27, 2009risk 0.00cvss —epss 0.01
RunCMS 2M1, when running with certain error_reporting levels, allows remote attackers to obtain sensitive information via (1) the op[] parameter to modules/contact/index.php or (2) uid[] parameter to userinfo.php, which leaks the installation path in an error message when these…
- CVE-2009-3814Oct 27, 2009risk 0.00cvss —epss 0.01
Static code injection vulnerability in RunCMS 2M1 allows remote authenticated administrators to execute arbitrary PHP code via the "Filter/Banning" feature, as demonstrated by modifying modules/system/cache/bademails.php using the "Prohibited: Emails" action, and other…
- CVE-2009-3813Oct 27, 2009risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in RunCMS 2M1 allow remote authenticated users to execute arbitrary SQL commands via the (1) forum parameter to modules/forum/post.php and possibly (2) forum_id variable to modules/forum/class/class.permissions.php.
- CVE-2008-7221Sep 14, 2009risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in RunCMS 1.6.1 allows remote attackers to hijack the authentication of administrators for requests that (1) add new administrators or (2) modify user profiles via a crafted request to system/admin.php.
- CVE-2007-6549Dec 28, 2007risk 0.00cvss —epss 0.01
Unspecified vulnerability in RunCMS before 1.6.1 has unknown impact and attack vectors, related to "pagetype using."
- CVE-2007-5535Oct 18, 2007risk 0.00cvss —epss 0.02
Unspecified vulnerability in newbb_plus in RunCms 1.5.2 has unknown impact and attack vectors.
- CVE-2006-6452Dec 10, 2006risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the MyArticles module before 0.6 beta 1, for RunCMS, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) topics.php, (2) submit.php, and (3) class/calendar.class.php.
- CVE-2006-4667Sep 9, 2006risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in RunCMS 1.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) uid parameter in (a) class/sessions.class.php, and the (2) timezone_offset and (3) umode parameters in (b) class/xoopsuser.php.
- CVE-2005-2691Aug 24, 2005risk 0.00cvss —epss 0.02
includes/common.php in RunCMS 1.2 and earlier calls the extract function with EXTR_OVERWRITE on HTTP POST variables, which allows remote attackers to overwrite arbitrary variables, possibly allowing execution of arbitrary code.
- CVE-2005-2692Aug 24, 2005risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in RunCMS 1.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) addquery and (2) subquery parameters to the newbb plus module, the forum parameter to (3) newtopic.php, (4) edit.php, or (5) reply.php in the…
- CVE-2005-0827May 2, 2005risk 0.00cvss —epss 0.01
Viewcat.php in (1) RUNCMS 1.1A, (2) Ciamos 0.9.2 RC1, e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allow remote attackers to obtain sensitive information via an invalid parameter to the convertorderbytrans function, which reveals the path in a PHP…
- CVE-2005-1031May 2, 2005risk 0.00cvss —epss 0.01
RUNCMS 1.1A, and possibly other products based on e-Xoops (exoops), when "Allow custom avatar upload" is enabled, does not properly verify uploaded files, which allows remote attackers to upload arbitrary files.