CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0338 – Buffer Overflow Vulnerability in XAMPP
https://notcve.org/view.php?id=CVE-2024-0338
02 Feb 2024 — A buffer overflow vulnerability has been found in XAMPP affecting version 8.2.4 and earlier. An attacker could execute arbitrary code through a long file debug argument that controls the Structured Exception Handler (SEH). Se encontró una vulnerabilidad de desbordamiento de búfer de almacenamiento dinámico en XAMPP que afecta a la versión 8.2.4 y anteriores. Un atacante podría ejecutar código arbitrario a través de un argumento de depuración de archivo largo que controla el controlador de excepciones estruc... • https://www.incibe.es/en/incibe-cert/notices/aviso/buffer-overflow-vulnerability-xampp • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 1CVE-2022-47637
https://notcve.org/view.php?id=CVE-2022-47637
12 Sep 2023 — The installer in XAMPP through 8.1.12 allows local users to write to the C:\xampp directory. Common use cases execute files under C:\xampp with administrative privileges. El instalador en XAMPP hasta 8.1.12 permite a los usuarios locales escribir en el directorio C:\xampp. Los casos de uso comunes ejecutan archivos en C:\xampp con privilegios administrativos. • https://shinnai.altervista.org/exploits/DVRT-2023-0001_CVE-2022-47637.pdf • CWE-281: Improper Preservation of Permissions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-20018 – XAMPP Installer uncontrolled search path
https://notcve.org/view.php?id=CVE-2017-20018
09 Jun 2022 — A vulnerability was found in XAMPP 7.1.1-0-VC14. It has been classified as problematic. Affected is an unknown function of the component Installer. The manipulation leads to privilege escalation. It is possible to launch the attack remotely. • https://packetstormsecurity.com/files/142406/xampp-dllhijack.txt • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-29376
https://notcve.org/view.php?id=CVE-2022-29376
23 May 2022 — Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory. Se ha detectado que Xampp para Windows versiones v8.1.4 y anteriores, contiene permisos no seguros para su directorio de instalación, lo que permite a atacantes ejecutar código arbitrario por medio de la escritura excesiva de binarios ubicados en el directorio • https://github.com/ycdxsb/Vuln/blob/main/Xampp-Install-Dir-Incorrect-Default-Permission/Xampp-Install-Dir-Incorrect-Default-Permission.md • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 5CVE-2020-11107 – XAMPP 7.4.3 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2020-11107
02 Apr 2020 — An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution. Se detectó un problema en XAMPP versiones anteriores a 7.2.29, versiones 7.3.x anteriores a 7.3.16 y versiones 7.4.x anteriores a 7.4.4 en Windows. Un usuario no privilegiado puede cambiar una configuración de .exe en xampp-contol.ini para todos los usuarios (in... • https://packetstorm.news/files/id/164292 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8920
https://notcve.org/view.php?id=CVE-2019-8920
09 Jul 2019 — iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. En el archivo iart.php en XAMPP versión 1.7.0, presenta una vulnerabilidad de tipo XSS, un problema relacionado con el CVE-2008-3569. • http://www.securityfocus.com/bid/109120 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 4CVE-2019-8924 – XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8924
19 Feb 2019 — XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued. XAMPP a través de la versión 5.6.8 permite una vulnerabilidad de XSS por medio del archivo cds-fpdf.php en el parámetro interpret o titel. NOTA: Este producto está suspendido. XAMPP version 5.6.8 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://packetstorm.news/files/id/151756 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 3CVE-2019-8923 – XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8923
19 Feb 2019 — XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued. En XAMPP hasta la versión 5.6.8 y anterior, permite la inyección de SQL por medio del parámetro cds-fpdf.php jahr. NOTA: Este producto está descatalogado. XAMPP version 5.6.8 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://packetstorm.news/files/id/151756 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 6CVE-2013-2586 – XAMPP 1.8.1 - 'lang.php?WriteIntoLocalDisk method' Local Write Access
https://notcve.org/view.php?id=CVE-2013-2586
26 Sep 2013 — XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which allows remote attackers to modify xampp/lang.tmp and execute cross-site scripting (XSS) attacks via the WriteIntoLocalDisk method. XAMPP 1.8.1 no restringe debidamente el acceso a xampp/lang.php, lo que permite a atacantes remotos modificar xampp/lang.tmp y ejecutar ataques de XSS a través del método WriteIntoLocalDisk. XAMPP version 1.8.1 allows an unprivileged user the ability to write to the local disk. • https://packetstorm.news/files/id/123407 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2008-6499 – XAMPP 1.6.8 - Cross-Site Request Forgery (Change Administrative Password)
https://notcve.org/view.php?id=CVE-2008-6499
20 Mar 2009 — security/xamppsecurity.php in XAMPP 1.6.8 performs an extract operation on the SERVER superglobal array, which allows remote attackers to spoof critical variables, as demonstrated by setting the REMOTE_ADDR variable to 127.0.0.1. security/xamppsecurity.php en XAMPP v1.6.8 realiza una operación "extract" en el array superglobal SERVER, lo cual permite a atacantes remotos suplantar variables críticas, como lo demostrado a través del establecimiento de la variable REMOTE_ADDR de 127.0.0.1. • https://www.exploit-db.com/exploits/7384 • CWE-94: Improper Control of Generation of Code ('Code Injection') •