CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 1CVE-2020-7071 – FILTER_VALIDATE_URL accepts URLs with invalid userinfo
https://notcve.org/view.php?id=CVE-2020-7071
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL. En PHP versiones 7.3.x por debajo de 7.3.26, 7.4.x por debajo de 7.4.14 y 8.0.0, cuando se comprueba una URL con funciones como filter_var ($url, FILTER_VALIDATE_URL), PHP aceptará una URL con una contraseña no válida como una URL válida. Esto puede conllevar a funciones que dependen de que la URL sea válida para analizar inapropiadamente la URL y producir datos incorrectos como componentes de la URL • https://bugs.php.net/bug.php?id=77423 https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html https://security.gentoo.org/glsa/202105-23 https://security.netapp.com/advisory/ntap-20210312-0005 https://www.debian.org/security/2021/dsa-4856 https://www.oracle.com/security-alerts/cpuoct2021.html https://www.tenable.com/security/tns-2021-14 https://access.redhat.com/security/cve/CVE-2020-7071 https://bugzilla.redhat.com/show_bug.cgi?id=1913846 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35952
https://notcve.org/view.php?id=CVE-2020-35952
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration. El archivo login.php en PHPFusion (también se conoce como PHP-Fusion) Andromeda versión 9.x antes del 30-12-2020 genera mensajes de error que distinguen entre un nombre de usuario incorrecto y una contraseña incorrecta (es decir, ni un solo mensaje de "Incorrect username or password" en ambos casos), lo que podría permitir la enumeración. • https://github.com/PHPFusion/PHPFusion/issues/2346 •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25955 – Student Management System Project PHP 1.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-25955
SourceCodester Student Management System Project in PHP version 1.0 is vulnerable to stored a cross-site scripting (XSS) via the 'add subject' tab. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en SourceCodester Student Management System Project en PHP versión 1.0, por medio de la pestaña "add subject" Student Management System PHP version 1.0 suffers from a persistent cross site scripting vulnerability. • http://packetstormsecurity.com/files/160398/Student-Management-System-Project-PHP-1.0-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2020/Dec/4 https://seclists.org/fulldisclosure/2020/Dec/4 https://www.sourcecodester.com/php/14443/student-management-system-project-php.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29283
https://notcve.org/view.php?id=CVE-2020-29283
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php. Se detectó una vulnerabilidad de inyección SQL en Online Doctor Appointment Booking System PHP por medio del parámetro q en el archivo getuser.php • https://github.com/BigTiger2020/Online-Doctor-Appointment-Booking-System-PHP/blob/main/README.md https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29285
https://notcve.org/view.php?id=CVE-2020-29285
SQL injection vulnerability was discovered in Point of Sales in PHP/PDO 1.0, which can be exploited via the id parameter to edit_category.php. Se detectó una vulnerabilidad de inyección SQL en Point of Sales en PHP/PDO versión 1.0, que se puede explotar por medio del parámetro id para el archivo edit_category.php • https://github.com/BigTiger2020/Point-of-Sales/blob/main/README.md https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •