CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-28280
https://notcve.org/view.php?id=CVE-2021-28280
29 Apr 2021 — CSRF + Cross-site scripting (XSS) vulnerability in search.php in PHPFusion 9.03.110 allows remote attackers to inject arbitrary web script or HTML CSRF + Una vulnerabilidad de Cross-site scripting (XSS) en el archivo search.php en PHPFusion versión 9.03.110, permite a atacantes remotos inyectar script web o HTML arbitrario • https://anotepad.com/notes/2skndayt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2021-29399
https://notcve.org/view.php?id=CVE-2021-29399
19 Apr 2021 — XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions 1.9.12.03 or 1.9.11.16. XMB es vulnerable a un ataque de tipo cross-site scripting (XSS) debido a un filtrado inadecuado de la entrada de BBCode. Este bug afecta a todas las versiones de XMB. • https://docs.xmbforum2.com/index.php?title=Security_Issue_History • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-21702 – Null Dereference in SoapClient
https://notcve.org/view.php?id=CVE-2021-21702
15 Feb 2021 — In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash. En PHP versiones 7.3.x por debajo de 7.3.27, 7.4.x por debajo de 7.4.15 y 8.0.x por debajo de 8.0.2, cuando se usa la extensión SOAP para conectarse a un servidor SOAP, un servidor SOAP malicioso podría devolver datos XML malformados como ... • https://bugs.php.net/bug.php?id=80672 • CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-7071 – FILTER_VALIDATE_URL accepts URLs with invalid userinfo
https://notcve.org/view.php?id=CVE-2020-7071
15 Feb 2021 — In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL. En PHP versiones 7.3.x por debajo de 7.3.26, 7.4.x por debajo de 7.4.14 y 8.0.0, cuando se comprueba una URL con funciones como filter_var ($url, FILTER_VALIDATE_URL), PHP aceptará u... • https://bugs.php.net/bug.php?id=77423 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 94%CPEs: 11EXPL: 0CVE-2020-36193 – PEAR Archive_Tar Improper Link Resolution Vulnerability
https://notcve.org/view.php?id=CVE-2020-36193
18 Jan 2021 — Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. El archivo Tar.php en Archive_Tar versiones hasta 1.4.11, permite operaciones de escritura con Salto de Directorio debido a una comprobación inadecuada de enlaces simbólicos, un problema relacionado al CVE-2020-28948 A flaw was found in the Archive_Tar package. Archive_Tar could allow a remote attacker to traverse directories on the system ca... • https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2020-35687 – PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)
https://notcve.org/view.php?id=CVE-2020-35687
13 Jan 2021 — PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of all shoutbox messages by the attacker on behalf of the logged in victim. PHPFusion versión 9.03.90, es vulnerable a un ataque CSRF que conlleva a la eliminación de todos los mensajes de shoutbox por parte del atacante en nombre de la víctima que inició sesión. • https://www.exploit-db.com/exploits/49426 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35952
https://notcve.org/view.php?id=CVE-2020-35952
03 Jan 2021 — login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration. El archivo login.php en PHPFusion (también se conoce como PHP-Fusion) Andromeda versión 9.x antes del 30-12-2020 genera mensajes de error que distinguen entre un nombre de usuario incorrecto y una contraseña incorrecta (es decir, ni un solo... • https://github.com/PHPFusion/PHPFusion/issues/2346 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2020-25955 – Student Management System Project PHP 1.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-25955
08 Dec 2020 — SourceCodester Student Management System Project in PHP version 1.0 is vulnerable to stored a cross-site scripting (XSS) via the 'add subject' tab. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en SourceCodester Student Management System Project en PHP versión 1.0, por medio de la pestaña "add subject" Student Management System PHP version 1.0 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/160398 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29283
https://notcve.org/view.php?id=CVE-2020-29283
02 Dec 2020 — An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php. Se detectó una vulnerabilidad de inyección SQL en Online Doctor Appointment Booking System PHP por medio del parámetro q en el archivo getuser.php • https://github.com/BigTiger2020/Online-Doctor-Appointment-Booking-System-PHP/blob/main/README.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29285
https://notcve.org/view.php?id=CVE-2020-29285
02 Dec 2020 — SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php. Se detectó una vulnerabilidad de inyección SQL en Point of Sales en PHP/PDO versión 1.0, que se puede explotar por medio del parámetro id para el archivo edit_category.php • https://github.com/BigTiger2020/Point-of-Sales/blob/main/README.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •