CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2006-3249
https://notcve.org/view.php?id=CVE-2006-3249
SQL injection vulnerability in search.php in Phorum 5.1.14 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter. NOTE: the vendor has disputed this report, stating "If a non positive integer or non-integer is used for the page parameter for a search URL, the search query will use a negative number for the LIMIT clause. This causes the query to break, showing no results. It IS NOT however a sql injection error." While the original report is from a researcher with mixed accuracy, as of 20060703, CVE does not have any additional information regarding this issue ** DISCUTIDA ** Vulnerabilidad de inyección SQL en search.php en Phorum v5.1.14 y anteriores permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro page. • http://pridels0.blogspot.com/2006/06/phorum-sql-injection-vuln.html http://www.osvdb.org/27165 http://www.phorum.org/cgi-bin/trac.cgi/ticket/382#preview http://www.phorum.org/phorum5/read.php?14%2C114358 https://exchange.xforce.ibmcloud.com/vulnerabilities/27369 •
CVSS: 7.5EPSS: 8%CPEs: 44EXPL: 2CVE-2006-3053 – PHORUM 3.x/5.x - 'Common.php' Remote File Inclusion
https://notcve.org/view.php?id=CVE-2006-3053
PHP remote file inclusion vulnerability in common.php in PHORUM 5.1.13 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the PHORUM[http_path] parameter. NOTE: this issue has been disputed by the vendor, who states "common.php is checked on the very first line of non-comment code that it is not being called directly. It has been this way in all 5.x version of Phorum." CVE analysis concurs with the vendor ** EN DISPUTA ** PHP vulnerabilidad de inclusión de archivo remoto en common.php en Phorum v5.1.13 y anteriores permite a atacantes remotos ejecutar código PHP arbitrario a través de una URL en el parámetro Phorum [http_path]. NOTA: este problema ha sido discutido por el vendedor, quien afirma que "common.php se comprueba en la primera línea de código no comment-que no se está llamando directamente Ha sido así en todas las versiones 5.x de Phorum." • https://www.exploit-db.com/exploits/27363 http://securityreason.com/securityalert/1103 http://www.securityfocus.com/archive/1/436863/100/0/threaded http://www.securityfocus.com/archive/1/437988/100/0/threaded http://www.securityfocus.com/bid/16977 https://exchange.xforce.ibmcloud.com/vulnerabilities/27064 •
CVSS: 5.0EPSS: 4%CPEs: 1EXPL: 2CVE-2006-1151 – m-phorum 0.3 - 'index.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-1151
Cross-site scripting vulnerability in index.php in M-Phorum 0.2 allows remote attackers to inject arbitrary web script or HTML via the go parameter. • https://www.exploit-db.com/exploits/30516 http://biyosecurity.be/bugs/mphorum.txt http://secunia.com/advisories/19121 http://securityvulns.com/Ldocument750.html http://securityvulns.com/source13951.html http://www.osvdb.org/23951 http://www.securityfocus.com/archive/1/427165/100/0/threaded http://www.securityfocus.com/archive/1/477253/100/0/threaded http://www.securityfocus.com/bid/25394 https://exchange.xforce.ibmcloud.com/vulnerabilities/25312 •
CVSS: 5.0EPSS: 1%CPEs: 1EXPL: 0CVE-2006-1152
https://notcve.org/view.php?id=CVE-2006-1152
PHP remote file inclusion vulnerability in index.php in M-Phorum 0.2 allows remote attackers to include arbitrary files via the go parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. • http://secunia.com/advisories/19121 http://www.osvdb.org/23740 http://www.securityfocus.com/bid/16977 http://www.vupen.com/english/advisories/2006/0827 https://exchange.xforce.ibmcloud.com/vulnerabilities/25102 •
CVSS: 6.8EPSS: 1%CPEs: 25EXPL: 1CVE-2005-3543
https://notcve.org/view.php?id=CVE-2005-3543
SQL injection vulnerability in search.php in Phorum 5.0.0alpha through 5.0.20, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the forum_ids parameter. Vulnerabilidad de inyección de SQL en Phorum 5.0.0alpha a 5.0.20, cuando "register_globals" está habilitado, permite a atacantes ejecutar órdenes SQL de su elección mediante el parámetro forum_id si register_globals está activado en PHP. • http://marc.info/?l=bugtraq&m=113122911424216&w=2 http://phorum.org/story.php?57 http://secunia.com/advisories/17456 http://securityreason.com/securityalert/153 http://www.osvdb.org/20524 http://www.vupen.com/english/advisories/2005/2332 http://www.waraxe.us/advisory-43.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •