CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 3CVE-2007-1520
https://notcve.org/view.php?id=CVE-2007-1520
20 Mar 2007 — The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks. La protección de cross-site request forgery (CSRF) en PHP-Nuke versión 8.0 y anteriores, no garantiza que la superglobal SERVER sea una matriz antes de validar la HTTP_REFERER, que permite a los atacantes remotos realizar ataques CSRF. • http://osvdb.org/34501 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2007-1449
https://notcve.org/view.php?id=CVE-2007-1449
14 Mar 2007 — Directory traversal vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter. Vulnerabilidad de escalado de directorio en mainfile.php del PHP-Nuke 8.0 y versiones anteriores permite a atacantes remotos leer ficheros de su elección mediante un .. (punto punto) en el parámetro lang. • http://secunia.com/advisories/24484 •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2007-1450
https://notcve.org/view.php?id=CVE-2007-1450
14 Mar 2007 — SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to execute arbitrary SQL commands in the Top or News module via the lang parameter. Vulnerabilidad de inyección SQL en el mainfile.php del PHP-Nuke 8.0 y versiones anteriores permite a atacantes remotos ejecutar comandos SQL de su elección en módulo Top o News mediante el parámetro lang. • http://www.securityfocus.com/archive/1/462443/100/0/threaded •
CVSS: 9.8EPSS: 1%CPEs: 10EXPL: 2CVE-2006-5525 – PHP-Nuke 7.9 - 'Encyclopedia' SQL Injection
https://notcve.org/view.php?id=CVE-2006-5525
26 Oct 2006 — Incomplete blacklist vulnerability in mainfile.php in PHP-Nuke 7.9 and earlier allows remote attackers to conduct SQL injection attacks via (1) "/**/UNION " or (2) " UNION/**/" sequences, which are not rejected by the protection mechanism, as demonstrated by a SQL injection via the eid parameter in a search action in the Encyclopedia module in modules.php. Vulnerabilidad de lista negra incompleta en mainfile.php en PHP-Nuke 7.9 y anteriores permite a un atacante remoto llevar a cabo un ataque de inyección S... • https://www.exploit-db.com/exploits/2617 •
CVSS: 9.8EPSS: 10%CPEs: 1EXPL: 2CVE-2006-5494 – pandaBB - 'displayCategory' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-5494
25 Oct 2006 — Multiple PHP remote file inclusion vulnerabilities in modules/My_eGallery/public/displayCategory.php in the pandaBB module for PHP-Nuke allow remote attackers to execute arbitrary PHP code via a URL in the (1) adminpath or (2) basepath parameters. NOTE: this issue might overlap CVE-2006-6795. Múltiples vulnerabilidades de inclusión remota de archivos de PHP en modules/My_eGallery/public/displayCategory.php en el módulo pandaBB para PHP-Nuke permite a atacantes remotos ejecutar código PHP de su elección a tr... • https://www.exploit-db.com/exploits/2599 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3CVE-2006-4563 – PHP-Nuke MyHeadlines 4.3.1 Module - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-4563
06 Sep 2006 — Cross-site scripting (XSS) vulnerability in the MyHeadlines before 4.3.2 module for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the myh_op parameter to modules.php. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el módulo MyHeadlines anterior a 4.3.2 para PHP-Nuke permite a un atacante remoto inyectar secuencias de comandos web o HTML de su elección a trave´s del parámetro myh_op en module.php. • https://www.exploit-db.com/exploits/28487 •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2006-1602
https://notcve.org/view.php?id=CVE-2006-1602
04 Apr 2006 — PHP remote file inclusion vulnerability in includes/functions_common.php in the VWar Account module (vWar_Account) in PHPNuke Clan 3.0.1 allows remote attackers to include arbitrary files via a URL in the vwar_root2 parameter. NOTE: it is possible that this issue stems from a problem in VWar itself, but this is not clear. Vulnerabilidad de inclusión de fichero PHP remoto en includes/funcions_common.php en el módulo VWar Account (vWar_Account) en PHPNuke Clan 3.0.1 permite a atacantes remotos incluir fichero... • http://secunia.com/advisories/19501 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2005-1028
https://notcve.org/view.php?id=CVE-2005-1028
09 Apr 2005 — PHP-Nuke 6.x through 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) index.php with the forum_admin parameter set, (2) the Surveys module, or (3) the Your_Account module, which reveals the path in a PHP error message. PHP-Nuke 6.x hasta la versión 7.6 permite a atacantes remotos obtener información sensible a través de una petición directa a (1) index.php con el parámetro forum_admin establecido, (2) el módulo Surveys o (3) el módulo Your_Account, lo que revela la rut... • http://marc.info/?l=bugtraq&m=111272010303144&w=2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2004-1842 – PHP-Nuke 6.x/7.0/7.1 - Image Tag Admin Command Execution
https://notcve.org/view.php?id=CVE-2004-1842
31 Dec 2004 — Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php. • https://www.exploit-db.com/exploits/23835 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2003-1340
https://notcve.org/view.php?id=CVE-2003-1340
31 Dec 2003 — Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 5.6 and 6.5 allow remote authenticated users to execute arbitrary SQL commands via (1) a uid (user) cookie to modules.php; and allow remote attackers to execute arbitrary SQL commands via an aid (admin) cookie to the Web_Links module in a (2) viewlink, (3) MostPopular, or (4) NewLinksDate action, different vectors than CVE-2003-0279. • http://securityreason.com/securityalert/3185 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •