CVSS: 5.1EPSS: 0%CPEs: 41EXPL: 0CVE-2007-5032
https://notcve.org/view.php?id=CVE-2007-5032
Cross-site request forgery (CSRF) vulnerability in admin.php in Francisco Burzi PHP-Nuke allows remote attackers to add administrative accounts via an AddAuthor action with modified add_name and add_radminsuper parameters. Falsificación de petición en sitios cruzados (CSRF) en admin.php de Francisco Burzi PHP-Nuke permite a atacantes remotos añadir cuentas administrativas mediante una acción AddAuthor con parámetros add_name y add_radminsuper modificados. • http://osvdb.org/42521 http://securityreason.com/securityalert/3157 http://www.securityfocus.com/archive/1/480107/100/0/threaded • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 2CVE-2007-1519
https://notcve.org/view.php?id=CVE-2007-1519
Cross-site scripting (XSS) vulnerability in modules.php in PHP-Nuke 8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search operation in the Downloads module, a different product than CVE-2006-3948. Una vulnerabilidad de tipo Cross-site scripting (XSS) en el archivo modules.php en PHP-Nuke versión 8.0 y anteriores, permite que los atacantes remotos inyecten un script web o HTML arbitrario por medio del parámetro query en una operación search en el módulo Downloads, un producto diferente al CVE-2006- 3948. • http://phpfi.com/214668 http://secunia.com/advisories/24629 http://www.securityfocus.com/archive/1/462308/100/100/threaded http://www.ush.it/2007/03/09/php-nuke-wild-post-xss http://www.wisec.it/ush/phpnukexss.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 2%CPEs: 13EXPL: 3CVE-2007-1520
https://notcve.org/view.php?id=CVE-2007-1520
The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks. La protección de cross-site request forgery (CSRF) en PHP-Nuke versión 8.0 y anteriores, no garantiza que la superglobal SERVER sea una matriz antes de validar la HTTP_REFERER, que permite a los atacantes remotos realizar ataques CSRF. • http://osvdb.org/34501 http://phpfi.com/214668 http://secunia.com/advisories/24629 http://www.securityfocus.com/archive/1/462308/100/100/threaded http://www.securityfocus.com/archive/1/462575/100/0/threaded http://www.securityfocus.com/archive/1/462727/100/0/threaded http://www.ush.it/2007/03/09/php-nuke-wild-post-xss http://www.wisec.it/ush/phpnukexss.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 89%CPEs: 1EXPL: 3CVE-2007-1061 – PHP-Nuke 8.0 Final - 'INSERT' Blind SQL Injection (MySQL)
https://notcve.org/view.php?id=CVE-2007-1061
SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8.0 Final and earlier, when the "HTTP Referers" block is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header (HTTP_REFERER variable). Vulnerabilidad de inyección SQL en index.php del Francisco Burzi PHP-Nuke 8.0 Final y versiones anteriores, cuando el bloque de las "Referencias HTTP" está habilitado, permite a atacantes remotos ejecutar comandos SQL de su elección mediante una cabecera HTTP Referer (variable HTTP_REFERER). • https://www.exploit-db.com/exploits/3344 https://www.exploit-db.com/exploits/3345 https://www.exploit-db.com/exploits/3346 http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052570.html http://osvdb.org/33316 http://secunia.com/advisories/24224 http://www.securityfocus.com/archive/1/461148/100/0/threaded http://www.securityfocus.com/bid/22638 http://www.vupen.com/english/advisories/2007/0673 https://exchange.xforce.ibmcloud.com/vulnerabilities/32607 •
CVSS: 7.5EPSS: 55%CPEs: 1EXPL: 2CVE-2007-0309 – PHP-Nuke 7.x - 'Block-Old_Articles.php' SQL Injection
https://notcve.org/view.php?id=CVE-2007-0309
SQL injection vulnerability in blocks/block-Old_Articles.php in Francisco Burzi PHP-Nuke 7.9 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter. Vulnerabilidad de inyección SQL en blocks/block-Old_Articles.php en Francisco Burzi PHP-Nuke 7.9 y versiones anteriores, cuando register_globals está activado y magic_quotes_gpc está deshabilitado, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro cat. • https://www.exploit-db.com/exploits/29453 http://osvdb.org/32863 http://secunia.com/advisories/23748 http://securityreason.com/securityalert/2153 http://securitytracker.com/id?1017511 http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-Old-Articles-Block-cat-SQL-Injection-vulnerability-31.html http://www.securityfocus.com/archive/1/456787/100/0/threaded http://www.securityfocus.com/bid/22037 https://exchange.xforce.ibmcloud.com/vulnerabilities/31482 •