CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2017-20128 – KB Messages PHP Script sql injection
https://notcve.org/view.php?id=CVE-2017-20128
13 Jul 2022 — A vulnerability has been found in KB Messages PHP Script 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument username/password with the input 'or''=' leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.96619 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 21%CPEs: 5EXPL: 2CVE-2022-31626 – mysqlnd/pdo password buffer overflow
https://notcve.org/view.php?id=CVE-2022-31626
16 Jun 2022 — In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability. En PHP versiones 7.4.x anteriores a 7.4.30, 8.0.x anteriores a 8.0.20 y 8.1.x anteriores a 8.1.7, cuando la extensión pdo_mysql con el controlador mysqlnd, si es permi... • https://github.com/amitlttwo/CVE-2022-31626 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 1CVE-2022-31625 – Freeing unallocated memory in php_pgsql_free_params()
https://notcve.org/view.php?id=CVE-2022-31625
16 Jun 2022 — In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service. En PHP versiones 7.4.x anteriores a 7.4.30, 8.0.x anteriores a 8.0.20 y 8.1.x anteriores a 8.1.7, cuando es usada la extensión de la base de datos Postgres, el suministro de parámetros no válidos a l... • https://bugs.php.net/bug.php?id=81720 • CWE-590: Free of Memory not on the Heap CWE-763: Release of Invalid Pointer or Reference CWE-824: Access of Uninitialized Pointer •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30478
https://notcve.org/view.php?id=CVE-2022-30478
31 May 2022 — Ecommerce-project-with-php-and-mysqli-Fruits-Bazar 1.0 is vulnerable to SQL Injection in \search_product.php via the keyword parameters. Ecommerce-project-with-php-and-mysqli-Fruits-Bazar versión 1.0, es vulnerable a una Inyección SQL en el archivo \search_product.php por medio de los parámetros keyword • https://github.com/APTX-4879/CVE • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-30482
https://notcve.org/view.php?id=CVE-2022-30482
31 May 2022 — Ecommerce-project-with-php-and-mysqli-Fruits-Bazar- 1.0 is vulnerable to Cross Site Scripting (XSS) in \admin\add_cata.php via the ctg_name parameters. Ecommerce-project-with-php-and-mysqli-Fruits-Bazar- versión 1.0, es vulnerable a un ataque de tipo Cross Site Scripting (XSS) en el archivo \admin\add_cata.php por medio de los parámetros ctg_name • https://github.com/APTX-4879/CVE • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-28102
https://notcve.org/view.php?id=CVE-2022-28102
28 Apr 2022 — A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php. Una vulnerabilidad de tipo cross-site scripting (XSS) en PHP MySQL Admin Panel Generator versión v1, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en el archivo /edit-db.php • http://php-mysql-admin-panel-generator.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2022-25866 – Command Injection
https://notcve.org/view.php?id=CVE-2022-25866
25 Apr 2022 — The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. El paquete czproject/git-php versiones anteriores a 4.0.3, es vulnerable a una inyección de comandos por medio de una inyección de argumentos git. C... • https://github.com/czproject/git-php/commit/5e82d5479da5f16d37a915de4ec55e1ac78de733 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2022-26613
https://notcve.org/view.php?id=CVE-2022-26613
06 Apr 2022 — PHP-CMS v1.0 was discovered to contain a SQL injection vulnerability via the category parameter in categorymenu.php. Se ha detectado que PHP-CMS versión v1.0, contiene una vulnerabilidad de inyección SQL por medio del parámetro category en el archivo categorymenu.php • https://github.com/harshitbansal373/PHP-CMS/issues/14 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-21708 – UAF due to php_filter_float() failing
https://notcve.org/view.php?id=CVE-2021-21708
27 Feb 2022 — In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits. En PHP versiones 7.4.x anteriores a 7.4.28, versiones 8.0.x anteriores a 8.0.16 y versiones ... • https://bugs.php.net/bug.php?id=81708 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41472
https://notcve.org/view.php?id=CVE-2021-41472
24 Jan 2022 — SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters. Una vulnerabilidad de inyección SQL en Sourcecodester Simple Membership System versión v1 por oretnom23, permite a atacantes ejecutar comandos SQL arbitrarios por medio de los parámetros username y password • https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •