CVSS: 9.8EPSS: 25%CPEs: 1EXPL: 1CVE-2022-26635
https://notcve.org/view.php?id=CVE-2022-26635
05 Apr 2022 — PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection. Note: Third parties have disputed this as not affecting PHP-Memcached directly. PHP-Memcached versiones v2.2.0 y anteriores, contiene una terminación NULL inapropiada que permite a atacantes ejecutar una inyección CLRF • https://github.com/php-memcached-dev/php-memcached/issues/519 •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-21708 – UAF due to php_filter_float() failing
https://notcve.org/view.php?id=CVE-2021-21708
27 Feb 2022 — In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits. En PHP versiones 7.4.x anteriores a 7.4.28, versiones 8.0.x anteriores a 8.0.16 y versiones ... • https://bugs.php.net/bug.php?id=81708 • CWE-416: Use After Free •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-8597
https://notcve.org/view.php?id=CVE-2014-8597
17 Feb 2022 — A reflected cross-site scripting (XSS) vulnerability in PHP-Fusion 7.02.07 allows remote attackers to inject arbitrary web script or HTML via the status parameter in the CMS admin panel. Una vulnerabilidad de tipo cross-site scripting (XSS) reflejada en PHP-Fusion versión 7.02.07, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro status en el panel de administración del CMS • https://www.xlabs.com.br/blog/cve-2014-8597-php-fusion-xss-injection-reflected • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41472
https://notcve.org/view.php?id=CVE-2021-41472
24 Jan 2022 — SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters. Una vulnerabilidad de inyección SQL en Sourcecodester Simple Membership System versión v1 por oretnom23, permite a atacantes ejecutar comandos SQL arbitrarios por medio de los parámetros username y password • https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.6EPSS: 1%CPEs: 1EXPL: 1CVE-2021-40909
https://notcve.org/view.php?id=CVE-2021-40909
24 Jan 2022 — Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, and email parameters to /ajax_crud. Una vulnerabilidad de tipo cross site scripting (XSS) en sourcecodester PHP CRUD sin Refresh/Reload usando Ajax y DataTables Tutorial versión v1 por oretnom23, permite a atacantes remotos ejecutar código arbitrario por medio de los parámetros first_nam... • https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-10-09102021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23227 – WordPress PHP Everywhere Plugin <= 2.0.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2021-23227
13 Jan 2022 — Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin <= 2.0.2 versions. Se ha detectado una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en PHP Everywhere (plugin de WordPress) versiones (anteriores a 2.0.2 incluyéndola) The PHP Everywhere plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to conduct unspecified potential attacks via forged request grant... • https://patchstack.com/database/vulnerability/php-everywhere/wordpress-php-everywhere-plugin-2-0-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 1%CPEs: 1EXPL: 1CVE-2022-24663 – Remote Code Execution by Subscriber+ users via WordPress shortcode
https://notcve.org/view.php?id=CVE-2022-24663
04 Jan 2022 — PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user. PHP Everywhere versiones anteriores a 2.0.3 incluyéndola, incluía una funcionalidad que permitía una ejecución de PHP Code Snippets por medio de los shortcodes de WordPress, que podían ser usados por cualquier usuario autenticado PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities. • https://packetstorm.news/files/id/165895 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 1%CPEs: 1EXPL: 1CVE-2022-24664 – Remote Code Execution by by Contributor+ users via WordPress metabox
https://notcve.org/view.php?id=CVE-2022-24664
04 Jan 2022 — PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress metaboxes, which could be used by any user able to edit posts. PHP Everywhere versiones anteriores a 2.0.3 incluyéndola, incluía una funcionalidad que permitía una ejecución de PHP Code Snippets por medio de los metaboxes de WordPress, que podían ser usados por cualquier usuario capaz de editar entradas PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities. • https://packetstorm.news/files/id/165895 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 2%CPEs: 1EXPL: 2CVE-2022-24665 – Remote Code Execution by by Contributor+ users via WordPress gutenberg block
https://notcve.org/view.php?id=CVE-2022-24665
04 Jan 2022 — PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts. PHP Everywhere versiones anteriores a 2.0.3 incluyéndola, incluía una funcionalidad que permitía una ejecución de fragmentos de código PHP por medio de un bloque gutenberg de WordPress por parte de cualquier usuario capaz de editar publicaciones PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities. • https://packetstorm.news/files/id/165895 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43678
https://notcve.org/view.php?id=CVE-2021-43678
17 Dec 2021 — Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php. Wechat-php-sdk versión v1.10.2, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) en el archivo Wechat.php • https://github.com/gaoming13/wechat-php-sdk • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •